Read GCP proxy EPP SSL secret from GCS

This allows us to not ship the proxy with certificates/private keys. The secret is still encrypted by KMS. Reading the secret only happens once when the first EPP request comes in, which should not incur any tangible performance penalty. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=191771680
2025-08-05 09:21:49 +02:00 · 2018-04-05 11:28:58 -07:00 · 2018-04-05 11:28:58 -07:00 · 983bd27ee0
commit 983bd27ee0
parent 18a145eef1
7 changed files with 55 additions and 12 deletions
--- a/java/google/registry/proxy/config/default-config.yaml
+++ b/java/google/registry/proxy/config/default-config.yaml
@ -36,8 +36,11 @@ accessTokenValidPeriodSeconds: 1800
 # com.google.api.client.auth.oauth2.Credential#intercept.
 accessTokenRefreshBeforeExpirySeconds: 60

-# Name of the encrypted PEM file.
-sslPemFilename: your-ssl.pem
+gcs:
+  # GCS bucket that stores the encrypted PEM file.
+  bucket: your-gcs-bucket
+  # Name of the encrypted PEM file.
+  sslPemFilename: your-pem-filename

 # Strings used to construct the KMS crypto key URL.
 # See: https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys