|
| 1 | +# Secret Provider |
| 2 | + |
| 3 | +This module provides an example implementation of the `SecretProvider` interface, which allows for the use of stored |
| 4 | +secrets by Ignition. It is backed by a MongoDB backend, and the secrets are expected to be stored in the MongoDB |
| 5 | +database as the JSON returned from `SystemEncryptionService.entryToJson(Plaintext)`. |
| 6 | + |
| 7 | +In a production environment, you may want to use the MongoDB Connector module, but for simplicity, this module uses the |
| 8 | +MongoDB Java driver directly. This allows for easy testing without the need to add another module to Ignition. |
| 9 | + |
| 10 | +This implementation is set up for easy testing, and the default configuration should connect to a local, unsecured |
| 11 | +MongoDB. To start one in a Docker container, run: |
| 12 | + |
| 13 | +```bash |
| 14 | +docker run -d -p 27017:27017 --rm --name insecure-mongo mongo |
| 15 | +``` |
| 16 | + |
| 17 | +Should you wish to start a MongoDB instance requiring authentication, you can use the following command. Remember |
| 18 | +to replace `admin` and `secret` with your desired username and password and configure your secret provider to use these |
| 19 | +credentials. |
| 20 | + |
| 21 | +```bash |
| 22 | +docker run -d -p 27017:27017 --rm --name secure-mongo \ |
| 23 | + -e MONGO_INITDB_ROOT_USERNAME=admin \ |
| 24 | + -e MONGO_INITDB_ROOT_PASSWORD=secret \ |
| 25 | + mongo |
| 26 | +``` |
| 27 | + |
| 28 | +## Adding Secrets to MongoDB |
| 29 | + |
| 30 | +Since there is currently no write method for SecretProvider, you will need to populate the database with secrets |
| 31 | +manually. |
| 32 | + |
| 33 | +### Encrypting Secrets |
| 34 | +First, generate a secret calling the Ignition system encryption REST API. Your API token will need to have Gateway |
| 35 | +write permissions, and you will need to replace `password` with the secret you want to encrypt. |
| 36 | + |
| 37 | +```bash |
| 38 | +curl -s -H "Content-Type: text/plain" -H "X-Ignition-API-Token: ${API_TOKEN}" \ |
| 39 | + http://localhost:8088/data/api/v1/encryption/encrypt -d password | json_pp |
| 40 | +``` |
| 41 | + |
| 42 | +Which will result in a response similar to the following: |
| 43 | + |
| 44 | +```json |
| 45 | +{ |
| 46 | + "ciphertext" : "NhkoviQxLsUZ2g", |
| 47 | + "encrypted_key" : "fYxDhnE_nKXiWGwGBJVaEWhojeg7duY3Y3G4dF89sKdjuf5iiX2nKw", |
| 48 | + "iv" : "TTGQPncN-rlf70Bq", |
| 49 | + "protected" : "eyJhbGciOiJBMjU2S1ciLCJlbmMiOiJBMjU2R0NNIiwiaWF0IjoxNzU1NjM0NDg3LCJ6aXAiOiJERUYifQ", |
| 50 | + "tag" : "sMU9-vhCyWHxLCH190eQ3A" |
| 51 | +} |
| 52 | +``` |
| 53 | + |
| 54 | +### Inserting Secrets into MongoDB |
| 55 | + |
| 56 | +Next, you will need to insert the encrypted secret into the MongoDB database using Mongo shell or a MongoDB client: |
| 57 | + |
| 58 | +```bash |
| 59 | +mongosh mongodb://localhost:27017/secrets_db |
| 60 | +``` |
| 61 | + |
| 62 | +or if you are using a secure MongoDB instance with authentication: |
| 63 | + |
| 64 | +```bash |
| 65 | +mongosh mongodb://localhost:27017/secrets_db -u admin -p password --authenticationDatabase admin |
| 66 | +``` |
| 67 | + |
| 68 | +Press `Enter` to connect to the database, then run the following command to insert the secret, replacing the |
| 69 | +`secretname` with the name of your secret and the `ciphertext` with the actual ciphertext generated by the Ignition |
| 70 | +REST API: |
| 71 | + |
| 72 | +```javascript |
| 73 | +secrets_db> db.mycollection.insertOne({ |
| 74 | + "name": "secretname", |
| 75 | + "ciphertext": { |
| 76 | + "ciphertext" : "NhkoviQxLsUZ2g", |
| 77 | + "encrypted_key" : "fYxDhnE_nKXiWGwGBJVaEWhojeg7duY3Y3G4dF89sKdjuf5iiX2nKw", |
| 78 | + "iv" : "TTGQPncN-rlf70Bq", |
| 79 | + "protected" : "eyJhbGciOiJBMjU2S1ciLCJlbmMiOiJBMjU2R0NNIiwiaWF0IjoxNzU1NjM0NDg3LCJ6aXAiOiJERUYifQ", |
| 80 | + "tag" : "sMU9-vhCyWHxLCH190eQ3A" |
| 81 | + } |
| 82 | + }) |
| 83 | +``` |
0 commit comments