zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-04-30 12:07:51 +02:00
Code Issues Projects Releases Packages Wiki Activity

Update proxy setup doc

Browse source 
Include information on how to upload an encrypted key/cert combo to GCS

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=191782955
This commit is contained in:
jianglai 2018-04-05 12:46:55 -07:00 committed by Ben McIlwain
parent 983bd27ee0
commit e5c0a85b3b
1 changed files with 25 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
docs/proxy-setup.md
View file

@ -177,8 +177,12 @@ $ gcloud kms encrypt --plaintext-file <combined_secret.pem> \
--key <key-name> --keyring <keyring-name> --location global --key <key-name> --keyring <keyring-name> --location global
``` ```
Place the encrypted file <combined_secret.pem.enc> to This encrypted file is then uploaded to a GCS bucket specified in the
`java/google/registry/proxy/resources`. `config.tf` file.
```bash
$ gsutil cp <combined_secret.pem.enc> gs://<your-gcs-bucket>
```
### Edit proxy config file ### Edit proxy config file
@ -189,8 +193,9 @@ Nomulus environments. The values specified in the environment-specific file
override those in the default file. override those in the default file.
The values that need to be changed include the project name, the Nomulus The values that need to be changed include the project name, the Nomulus
endpoint, encrypted certificate/key combo filename, Cloud KMS keyring and key endpoint, encrypted certificate/key combo filename and the GCS bucket it is
names, etc. Refer to the default file for detailed descriptions on each field. stored in, Cloud KMS keyring and key names, etc. Refer to the default file for
detailed descriptions on each field.
### Upload proxy docker image to GCR ### Upload proxy docker image to GCR
@ -375,9 +380,13 @@ $ gcloud kms encrypt --plaintext-file ssl-cert-key.pem \
--key <key-name> --keyring <keyring-name> --location global --key <key-name> --keyring <keyring-name> --location global
``` ```
A file named `ssl-cert-key.pem.enc` will be created; move it to A file named `ssl-cert-key.pem.enc` will be created. Upload it to a GCS bucket
`java/google/registry/proxy/resources/` so that it will be packaged with the in the proxy project. To create a bucket and upload the file:
proxy.
```bash
$ gsutil mb -p <proxy-project> gs://<bucket-name>
$ gustil cp ssl-cert-key.pem.enc gs://<bucket-name>
```
The proxy service account needs the "Cloud KMS CryptoKey Decrypter" role to The proxy service account needs the "Cloud KMS CryptoKey Decrypter" role to
decrypt the file using Cloud KMS: decrypt the file using Cloud KMS:
@ -388,6 +397,15 @@ $ gcloud projects add-iam-policy-binding <project-id> \
--role roles/cloudkms.cryptoKeyDecrypter --role roles/cloudkms.cryptoKeyDecrypter
``` ```
The service account also needs the "Storage Object Viewer" role to retrieve the
encrypted file from GCS:
```bash
$ gsutil iam ch \
serviceAccount:<service-account-email>:roles/storage.objectViewer \
gs://<bucket-name>
```
### Proxy configuration ### Proxy configuration
Proxy configuration files are at `java/google/registry/proxy/config/`. There is Proxy configuration files are at `java/google/registry/proxy/config/`. There is