Merge pull request #13 from CloudKrafter/data-encryption

Adding support for using custom encryption keys
CloudKrafter · Jan 16, 2025 · 0b127ac · 0b127ac
2 parents cd29af2 + 2e2cbcb
commit 0b127ac
Show file tree

Hide file tree

Showing 5 changed files with 115 additions and 0 deletions.
diff --git a/molecule/nexus_common_test_vars.yml b/molecule/nexus_common_test_vars.yml
@@ -24,6 +24,15 @@ nexus_backup_configure: true
 nexus_delete_default_repos: true
 nexus_delete_default_blobstore: true
 
+# Nexus encryption key
+nexus_encryption_keys:
+  - id: custom-key1
+    secret: some-encryption-key
+  - id: custom-key2
+    secret: another-encryption-key
+nexus_active_encryption_key_id: custom-key1
+nexus_encryption_key_file: /var/nexus/encryption-key.json
+
 nexus_blob_split: true
 
 nexus_config_maven: true

diff --git a/roles/nexus_oss/README.md b/roles/nexus_oss/README.md
@@ -28,6 +28,7 @@ _(Created with [gh-md-toc](https://github.com/ekalinin/github-markdown-toc))_
       * [General variables](#general-variables)
       * [Postgres Database](#postgres-database)
       * [Nexus HA Cluster](#nexus-ha-cluster)
+      * [Secrets Encryption](#secrets-encryption)
       * [Download dir for nexus package](#download-dir-for-nexus-package)
       * [Nexus port, context path and listening IP](#nexus-port-context-path-and-listening-ip)
       * [Nexus OS user and group](#nexus-os-user-and-group)
@@ -210,6 +211,26 @@ nexus_cluster_enabled: false
 
 Any new node/instance with the same postgres database credentials will automatically be added to the cluster.
 
+### Secrets Encryption
+With NXRM Pro, you can re-encrypt all stored secrets using your own encryption keys. Note that only one encryption key can be active at any given time.
+
+You can define new encryption keys side by side with existing ones and update the active key when you're ready to switch.
+
+Changing ANY these variables will trigger a reboot of the NXRM service!
+
+```yaml
+nexus_encryption_keys:
+  - id: custom-key1
+    secret: some-encryption-key
+  - id: custom-key2
+    secret: another-encryption-key
+nexus_active_encryption_key_id: custom-key1
+nexus_encryption_key_file: /var/nexus/encryption-key.json
+```
+The encryption settings, including keys and the active encryption key, will be stored in the JSON file specified by `nexus_encryption_key_file`. This file will be generated on the Nexus host.
+
+To avoid storing your encryption keys in source control, consider using Ansible Vault or, preferably, secret replacement in your CI/CD process.
+
 ### Download dir for nexus package
 ```yaml
     nexus_download_dir: '/tmp'

diff --git a/roles/nexus_oss/tasks/encrypt_nexus_data.yml b/roles/nexus_oss/tasks/encrypt_nexus_data.yml
@@ -0,0 +1,69 @@
+---
+- name: Create encryption config file from template
+  ansible.builtin.template:
+    src: "encryption-key.json.j2"
+    dest: "{{ nexus_encryption_key_file }}"
+    owner: "{{ nexus_os_user }}"
+    group: "{{ nexus_os_group }}"
+    mode: "0640"
+  notify:
+    - nexus-service-restart
+  when:
+    - nexus_encryption_keys is defined
+    - nexus_encryption_keys | length > 0
+  tags: nexus-encrypt
+
+- name: Set encryption file in {{ nexus_data_dir }}/etc/nexus.properties
+  ansible.builtin.lineinfile:
+    path: "{{ nexus_data_dir }}/etc/nexus.properties"
+    line: "nexus.secrets.file={{ nexus_encryption_key_file }}"
+    firstmatch: true
+    insertafter: "EOF"
+    state: present
+  tags: nexus-encrypt
+  notify:
+    - nexus-service-restart
+
+- name: Force restart of nexus service
+  ansible.builtin.meta: flush_handlers
+  tags: nexus-encrypt
+
+- name: Wait for Nexus writable API endpoint to be available
+  ansible.builtin.uri:
+    url: "{{ nexus_api_scheme }}://{{ nexus_api_hostname }}:{{ nexus_api_port }}/service/rest/v1/status/writable"
+    method: GET
+    validate_certs: "{{ nexus_api_validate_certs }}"
+    status_code: 200
+    timeout: "{{ nexus_api_timeout }}"
+  register: __nexus_writable__
+  until: __nexus_writable__.status == 200
+  retries: "{{ nexus_api_availability_retries }}"
+  delay: "{{ nexus_api_availability_delay }}"
+  tags: nexus-encrypt
+
+- name: Get system health
+  ansible.builtin.uri:
+    url: "{{ nexus_api_scheme }}://{{ nexus_api_hostname }}:{{ nexus_api_port }}{{ nexus_api_context_path }}service/rest/v1/status/check"
+    user: admin
+    password: "{{ current_nexus_admin_password }}"
+    method: GET
+    force_basic_auth: true
+    validate_certs: "{{ nexus_api_validate_certs }}"
+  register: __nexus_health__
+  tags: nexus-encrypt
+
+- name: Re-encrypt Nexus data
+  ansible.builtin.uri:
+    url: "{{ nexus_api_scheme }}://{{ nexus_api_hostname }}:{{ nexus_api_port }}{{ nexus_api_context_path }}service/rest/v1/secrets/encryption/re-encrypt"
+    user: admin
+    password: "{{ current_nexus_admin_password }}"
+    method: PUT
+    force_basic_auth: true
+    validate_certs: "{{ nexus_api_validate_certs }}"
+    body_format: json
+    body:
+      secretKeyId: "{{ nexus_active_encryption_key_id }}"
+    status_code: 202
+  changed_when: true
+  when: not nexus_active_encryption_key_id in __nexus_health__.json['Default Secret Encryption Key'].message
+  tags: nexus-encrypt
diff --git a/roles/nexus_oss/tasks/main.yml b/roles/nexus_oss/tasks/main.yml
@@ -479,3 +479,8 @@
   ansible.builtin.include_tasks: migrate_database.yml
   tags: nexus-migrate, nexus-healthcheck
   when: nexus_migrate_database | default(false) | bool
+
+- name: Encrypt Nexus data
+  ansible.builtin.include_tasks: encrypt_nexus_data.yml
+  tags: nexus-encrypt
+  when: nexus_encryption_keys | length > 0
diff --git a/roles/nexus_oss/templates/encryption-key.json.j2 b/roles/nexus_oss/templates/encryption-key.json.j2
@@ -0,0 +1,11 @@
+{
+  "active": "{{ nexus_active_encryption_key_id }}",
+  "keys": [
+{% for key in nexus_encryption_keys %}
+    {
+      "id": "{{ key.id }}",
+      "key": "{{ key.secret }}"
+    }{% if not loop.last %},{% endif %}
+{% endfor %}
+  ]
+}