This is a simple API driven "secret" store server written in Rust, backed by etcd. It is only for demonstration. It is intentionally insecure in various places and has an extremely naive implementation. Secrets are stored in plain text, and there is no built-in request limiting to prevent brute force.
This app exports various application access and security heuristics via Prometheus endpoints and a Fluentd forwarder for analysis in future examples.
| Action | Verb | Path | Returns | Port |
|---|---|---|---|---|
| Login (Basic Auth Header) | GET | /login | token | 3000 |
| Get secret | GET | /get/{name}?token={token} | secret value | 3000 |
| Set secret | POST | /set/{name}/{value}?token={token} | secret hash | 3000 |
| Metrics | GET | /metrics | metrics | 3001 |
| Variable | Default | Description |
|---|---|---|
| ETCD_CLUSTER_MEMBERS | http://localhost:2379 | Colon seperated list of ectd members |
| FLUENTD_FORWARD_ADDR | 127.0.0.1:24224 | TCP address of fluentd to foward logs |
| TOKEN_EXPIRATION_SECS | 600 | After how long do session tokens expire |
To build using local development environment:
cargo buildTo build Docker container, containing a SPIRE agent and Envoy proxy):
make serverTo build the demo environment, containing a 3 node etcd cluster, a SPIRE server, Prometheus and Fluentd:
make
make envAn etcd brower is available at http://localhost:8000/ in the demo environment to view secrets, session tokens, and users.
| Path | Mount | Description |
|---|---|---|
| ./server/envoy.yaml | /etc/envoy.yaml | Required. Envoy client configuration |
See docker-compose.yml for more details