diff --git a/java/google/registry/proxy/BUILD b/java/google/registry/proxy/BUILD index 28ab60bdd..c3cecd8b8 100644 --- a/java/google/registry/proxy/BUILD +++ b/java/google/registry/proxy/BUILD @@ -27,6 +27,7 @@ java_library( "@com_google_api_client", "@com_google_apis_google_api_services_cloudkms", "@com_google_apis_google_api_services_monitoring", + "@com_google_apis_google_api_services_storage", "@com_google_auto_value", "@com_google_code_findbugs_jsr305", "@com_google_dagger", diff --git a/java/google/registry/proxy/ProxyConfig.java b/java/google/registry/proxy/ProxyConfig.java index 197923644..3a09d4427 100644 --- a/java/google/registry/proxy/ProxyConfig.java +++ b/java/google/registry/proxy/ProxyConfig.java @@ -37,7 +37,7 @@ public class ProxyConfig { public List gcpScopes; public int accessTokenValidPeriodSeconds; public int accessTokenRefreshBeforeExpirySeconds; - public String sslPemFilename; + public Gcs gcs; public Kms kms; public Epp epp; public Whois whois; @@ -45,6 +45,12 @@ public class ProxyConfig { public HttpsRelay httpsRelay; public Metrics metrics; + /** Configuration options that apply to GCS. */ + public static class Gcs { + public String bucket; + public String sslPemFilename; + } + /** Configuration options that apply to Cloud KMS. */ public static class Kms { public String location; diff --git a/java/google/registry/proxy/ProxyModule.java b/java/google/registry/proxy/ProxyModule.java index a8964ec52..ab8c51120 100644 --- a/java/google/registry/proxy/ProxyModule.java +++ b/java/google/registry/proxy/ProxyModule.java @@ -16,7 +16,6 @@ package google.registry.proxy; import static com.google.common.base.Suppliers.memoizeWithExpiration; import static google.registry.proxy.ProxyConfig.getProxyConfig; -import static google.registry.util.ResourceUtils.readResourceBytes; import static java.util.concurrent.TimeUnit.SECONDS; import com.beust.jcommander.JCommander; @@ -26,6 +25,7 @@ import com.google.api.client.googleapis.auth.oauth2.GoogleCredential; import com.google.api.client.googleapis.util.Utils; import com.google.api.services.cloudkms.v1.CloudKMS; import com.google.api.services.cloudkms.v1.model.DecryptRequest; +import com.google.api.services.storage.Storage; import com.google.common.collect.ImmutableMap; import com.google.common.collect.Maps; import com.google.monitoring.metrics.MetricReporter; @@ -44,6 +44,7 @@ import io.netty.handler.logging.LogLevel; import io.netty.handler.logging.LoggingHandler; import io.netty.handler.ssl.OpenSsl; import io.netty.handler.ssl.SslProvider; +import java.io.ByteArrayOutputStream; import java.io.IOException; import java.util.Arrays; import java.util.Optional; @@ -218,14 +219,32 @@ public class ProxyModule { .build(); } + @Singleton + @Provides + static Storage provideStorage(GoogleCredential credential, ProxyConfig config) { + return new Storage.Builder( + Utils.getDefaultTransport(), Utils.getDefaultJsonFactory(), credential) + .setApplicationName(config.projectId) + .build(); + } + @Singleton @Provides @Named("encryptedPemBytes") - static byte[] provideEncryptedPemBytes(ProxyConfig config) { + static byte[] provideEncryptedPemBytes(Storage storage, ProxyConfig config) { try { - return readResourceBytes(ProxyModule.class, "resources/" + config.sslPemFilename).read(); + ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); + storage + .objects() + .get(config.gcs.bucket, config.gcs.sslPemFilename) + .executeMediaAndDownloadTo(outputStream); + return outputStream.toByteArray(); } catch (IOException e) { - logger.severefmt(e, "Error reading encrypted PEM file: %s", config.sslPemFilename); + logger.severefmt( + e, + "Error reading encrypted PEM file %s from GCS bucket %s", + config.gcs.sslPemFilename, + config.gcs.bucket); throw new RuntimeException(e); } } diff --git a/java/google/registry/proxy/config/default-config.yaml b/java/google/registry/proxy/config/default-config.yaml index c64ce10f2..aaf5e0145 100644 --- a/java/google/registry/proxy/config/default-config.yaml +++ b/java/google/registry/proxy/config/default-config.yaml @@ -36,8 +36,11 @@ accessTokenValidPeriodSeconds: 1800 # com.google.api.client.auth.oauth2.Credential#intercept. accessTokenRefreshBeforeExpirySeconds: 60 -# Name of the encrypted PEM file. -sslPemFilename: your-ssl.pem +gcs: + # GCS bucket that stores the encrypted PEM file. + bucket: your-gcs-bucket + # Name of the encrypted PEM file. + sslPemFilename: your-pem-filename # Strings used to construct the KMS crypto key URL. # See: https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys diff --git a/java/google/registry/proxy/terraform/example_config.tf b/java/google/registry/proxy/terraform/example_config.tf index 898aa0c88..29fd94634 100644 --- a/java/google/registry/proxy/terraform/example_config.tf +++ b/java/google/registry/proxy/terraform/example_config.tf @@ -7,11 +7,12 @@ terraform { } module "proxy" { - source = "../../modules" - proxy_project_name = "YOUR_PROXY_PROJECT" - nomulus_project_name = "YOUR_NOMULUS_GPROJECT" - gcr_project_name = "YOUR_GCR_PROJECT" - proxy_domain_name = "YOUR_PROXY_DOMAIN" + source = "../../modules" + proxy_project_name = "YOUR_PROXY_PROJECT" + nomulus_project_name = "YOUR_NOMULUS_GPROJECT" + gcr_project_name = "YOUR_GCR_PROJECT" + proxy_domain_name = "YOUR_PROXY_DOMAIN" + proxy_certificate_bucket = "YOU_CERTIFICATE_BUCKET" } output "proxy_service_account_client_id" { diff --git a/java/google/registry/proxy/terraform/modules/gcs.tf b/java/google/registry/proxy/terraform/modules/gcs.tf new file mode 100644 index 000000000..808a015a3 --- /dev/null +++ b/java/google/registry/proxy/terraform/modules/gcs.tf @@ -0,0 +1,10 @@ +resource "google_storage_bucket" "proxy_certificate" { + name = "${var.proxy_certificate_bucket}" + storage_class = "MULTI_REGIONAL" +} + +resource "google_storage_bucket_iam_member" "member" { + bucket = "${google_storage_bucket.proxy_certificate.name}" + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.proxy_service_account.email}" +} diff --git a/java/google/registry/proxy/terraform/modules/input.tf b/java/google/registry/proxy/terraform/modules/input.tf index d1a49f81a..102dc54b3 100644 --- a/java/google/registry/proxy/terraform/modules/input.tf +++ b/java/google/registry/proxy/terraform/modules/input.tf @@ -10,6 +10,9 @@ variable "gcr_project_name" {} # The base domain name of the proxy, without the whois. or epp. part. variable "proxy_domain_name" {} +# The GCS bucket that stores the encrypted SSL certificate. +variable "proxy_certificate_bucket" {} + # Cloud KMS keyring name variable "proxy_key_ring" { default = "proxy-key-ring"