Secretless Configuration
Secretless Broker relies on its configuration to determine the target services it connects to and how it should retrieve the access credentials to authenticate with those services.
Your Secretless Broker configuration file begins with a version and a list of services:
version: "2" services: service-1: ... |
Each individual service
definition provides Secretless Broker with the information it needs to connect to a
given target service. Specifically, Secretless needs to know:
-
The protocol used by the target service.
-
Where to listen for new connection requests.
-
Where to get credentials for incoming connections.
-
The location of the target service (e.g., where to send requests).
Secretless Broker uses the protocol given in the service configuration to determine which service connector should process the connection request. Secretless retrieves any required credentials, revises the connection request to inject the valid authentication credentials, negotiates the authentication handshake with the target service, and then transparently streams data between the client and service.
Secretless must itself be configured to authenticate with any credential providers referenced in its configuration. For example, if Secretless will be retrieving credentials from a vault, the Secretless application must itself be able to authenticate with the vault and must be authorized to retrieve the necessary credentials. For more information on how this works in practice, review the documentation for the individual Secret Providers (Secretless). |
To understand better what the service definition looks like in practice, let's look at a sample Secretless Broker configuration and discuss the components. Additional examples are available at the bottom of the page and throughout the documentation.
version: "2" services: postgres-db: connector: pg listenOn: tcp://0.0.0.0:5432 # can be a socket as well (same name for both) credentials: host: postgres.my-service.internal port: 5432 password: from: conjur get: id-of-secret-in-conjur username: from: env get: username config: # this section usually blank optionalStuff: foo |
In this sample, Secretless Broker is configured to connect to a service named postgres-db
.
Clients send connection requests to this service via localhost using port 5432. This service uses the pg
protocol, which indicates that the PostgreSQL service connector should process requests that come in via this port.
Credentials from this connection will be retrieved from multiple sources; the address
is given as a string value,
the password
will be retrieved from the Conjur variable with ID id-of-secret-in-conjur
, and
the username
is retrieved from the environment variable named username
.
Additional Examples
In the examples below, we share the Secretless configurations that were used in each of the Secretless Quick Demo. For ease of understanding, we've broken them up into three separate configurations. In practice, you can configure Secretless Broker to handle as many types of connections as you need; to see how we configured Secretless Broker to handle all three of these connection types at once, check out the actual configuration we used in building the quick start Docker image.
version: "2" services: pg_tcp: connector: pg listenOn: tcp://0.0.0.0:5454 credentials: host: localhost port: 5432 password: from: env get: QUICKSTART_USERNAME username: from: env get: QUICKSTART_PASSWORD |
version: "2" services: ssh: connector: ssh listenOn: tcp://0.0.0.0:2222 credentials: address: "localhost" user: "user" privateKey: from: env get: SSH_PRIVATE_KEY |
version: "2" services: http_basic_auth: connector: basic_auth listenOn: tcp://0.0.0.0:8081 credentials: username: from: env get: BASIC_AUTH_USERNAME password: from: env get: BASIC_AUTH_PASSWORD config: authenticateURLsMatching: - ^http\:\/\/quickstart\/ - ^http\:\/\/localhost.* |
version: "2" services: pg_tcp: connector: pg listenOn: tcp://0.0.0.0:5454 credentials: host: "localhost" port: 5432 password: from: env get: QUICKSTART_USERNAME username: from: env get: QUICKSTART_PASSWORD ssh: connector: ssh listenOn: tcp://0.0.0.0:2222 credentials: address: "localhost" user: "user" privateKey: from: env get: SSH_PRIVATE_KEY http_basic_auth: connector: basic_auth listenOn: tcp://0.0.0.0:8081 credentials: username: from: env get: BASIC_AUTH_USERNAME password: from: env get: BASIC_AUTH_PASSWORD config: authenticateURLsMatching: - ^http\:\/\/quickstart\/ - ^http\:\/\/localhost.* |
Supplying Secretless Broker with its Configuration
The Secretless Configuration Managers reference provides more information about how to supply Secretless Broker with its configuration in practice.