Build and Secure Secretless Connector Plugins
After you've created a plugin, the next step is to build your plugin as a shared object .so
library file before deploying it to your environment.
It is strongly that you secure your plugin before it is deployed. See Secure your plugin below for detailed instructions. |
Build the shared library file
To build a shared object library .so
file, run the following command:
go build -buildmode=plugin -o=/path/to/plugins/my-plugin.so /path/to/my/plugin/files/ |
where /path/to/plugins/
is the directory where you store plugin .so
files,/path/to/my/plugin/files/
is the directory containing your plugin package files, and my-plugin.so
is the name of the output shared library file for your plugin.
This compiles your plugin code into a .so
file, which is self-contained and includes any dependencies that you imported. For more information, see the instructions for building Go Plugins.
Secure your plugin
Optionally (and strongly recommended), plugins can be secured by a checksum file to prevent injection attacks. It is strongly recommended that all production deployments use this feature.
When enabled, a checksum of plugins is provided to the Secretless Broker so that the expected versus actual number of plugins can be verified. The checksum also ensures that plugins have not been modified.
By performing the checksum validation, any new plugins that are not expected or plugins with modified content prevent Secretless Broker from starting. This ensures that no malicious or corrupt libraries are loaded.
Generate a SHA-256 checksum file
Generate a sha256 checksum file for your plugins using the appropriate tool for your distribution. For example, for Linux you might run:
sha256sum /path/to/plugins/* > PLUGINS_SHA256SUM.txt |
Running this command creates an output file with a line for each plugin:
$ cat PLUGINS_SHA256SUM.txt f9d84907d77df62017944cb23cab66305e94ee6ae6c1126415b81cc5e999bdd0 sample-plugin1.so e0819a34d21403d531e2981306402870e2ebf7029605f2fc2a5d3ae160b004fa sample-plugin2.so |
Once you have the plugin file, you can provide it to Secretless on startup using the -s
flag:
./secretless-broker -p /path/to/plugins/ -s PLUGINS_SHA256SUM.txt |
See also
Test Secretless Connector Plugins