Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add google secret manager as backend #15

Merged
merged 6 commits into from
Nov 28, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ COPYRIGHT:
We support the following storage backends for storing private keys:
1. [Filesystem](docs/filesystem.md)
2. [AWS Secret Manager](docs/aws_sercret_manager.md)
3. [Google Secret Manager](docs/google_secret_manager.md)

### Monitoring
The signer exposes prometheus metrics on the `/metrics` endpoint. You can scrape these metrics using a prometheus server.
Expand Down
10 changes: 9 additions & 1 deletion cmd/cerberus/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,12 @@ var (
Usage: "AWS secret access key",
EnvVars: []string{"AWS_SECRET_ACCESS_KEY"},
}

gcpProjectIDFlag = &cli.StringFlag{
Name: "gcp-project-id",
Usage: "Project ID for Google Cloud Platform",
EnvVars: []string{"GCP_PROJECT_ID"},
}
)

func main() {
Expand Down Expand Up @@ -136,6 +142,7 @@ func main() {
awsAuthenticationModeFlag,
awsAccessKeyIDFlag,
awsSecretAccessKeyFlag,
gcpProjectIDFlag,
}
sort.Sort(cli.FlagsByName(app.Flags))

Expand Down Expand Up @@ -164,6 +171,7 @@ func start(c *cli.Context) error {
awsAuthenticationMode := c.String(awsAuthenticationModeFlag.Name)
awsAccessKeyID := c.String(awsAccessKeyIDFlag.Name)
awsSecretAccessKey := c.String(awsSecretAccessKeyFlag.Name)
gcpProjectID := c.String(gcpProjectIDFlag.Name)

cfg := &configuration.Configuration{
KeystoreDir: keystoreDir,
Expand All @@ -177,6 +185,7 @@ func start(c *cli.Context) error {
AWSAuthenticationMode: configuration.AWSAuthenticationMode(awsAuthenticationMode),
AWSAccessKeyID: awsAccessKeyID,
AWSSecretAccessKey: awsSecretAccessKey,
GCPProjectID: gcpProjectID,
}

if err := cfg.Validate(); err != nil {
Expand All @@ -193,7 +202,6 @@ func start(c *cli.Context) error {
handler := slog.NewTextHandler(os.Stdout, &slogOptions)
logger = slog.New(handler)
}
logger.Info("using configuration", "config", cfg)
logger.Info(fmt.Sprintf("Starting cerberus server version: %s", version))
server.Start(cfg, logger)
return nil
Expand Down
13 changes: 13 additions & 0 deletions docs/google_secret_manager.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
## Using Google Secret Manager as a backend for cerberus
You can use Google Secret Manager as a backend for cerberus. To use Google Secret Manager as a backend, you need to set the `STORAGE_TYPE` environment variable to `google-secrets-manager`.
All the public keys are stored in `cerberus<pub-key-hex>` format. They will also have a label with key as `project` and value as `cerberus`.

### Environment variables
You will need to set the `GCP_PROJECT_ID` environment variable to `environment`. Make sure you have the necessary permissions to access the secrets.

Example
```bash
cerberus \
--storage-type google-secrets-manager \
--gcp-project-id my-project
```
39 changes: 31 additions & 8 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ go 1.21
toolchain go1.21.11

require (
cloud.google.com/go/secretmanager v1.14.2
github.com/Layr-Labs/bn254-keystore-go v0.0.0-20241118175331-3ceaf682f032
github.com/Layr-Labs/cerberus-api v0.0.1
github.com/aws/aws-sdk-go-v2 v1.32.5
Expand All @@ -15,10 +16,15 @@ require (
github.com/prometheus/client_golang v1.20.3
github.com/stretchr/testify v1.10.0
github.com/urfave/cli/v2 v2.27.5
google.golang.org/grpc v1.64.1
google.golang.org/api v0.203.0
google.golang.org/grpc v1.67.1
)

require (
cloud.google.com/go/auth v0.9.9 // indirect
cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
cloud.google.com/go/compute/metadata v0.5.2 // indirect
cloud.google.com/go/iam v1.2.1 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.20 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.24 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.24 // indirect
Expand All @@ -35,6 +41,13 @@ require (
github.com/consensys/bavard v0.1.13 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/go-logr/logr v1.4.2 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/google/s2a-go v0.1.8 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
github.com/googleapis/gax-go/v2 v2.13.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 // indirect
github.com/klauspost/compress v1.17.9 // indirect
github.com/mmcloughlin/addchain v0.4.0 // indirect
Expand All @@ -45,13 +58,23 @@ require (
github.com/prometheus/procfs v0.15.1 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
golang.org/x/crypto v0.27.0 // indirect
golang.org/x/net v0.26.0 // indirect
golang.org/x/sys v0.25.0 // indirect
golang.org/x/text v0.18.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 // indirect
google.golang.org/protobuf v1.34.2 // indirect
go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect
go.opentelemetry.io/otel v1.29.0 // indirect
go.opentelemetry.io/otel/metric v1.29.0 // indirect
go.opentelemetry.io/otel/trace v1.29.0 // indirect
golang.org/x/crypto v0.28.0 // indirect
golang.org/x/net v0.30.0 // indirect
golang.org/x/oauth2 v0.23.0 // indirect
golang.org/x/sync v0.8.0 // indirect
golang.org/x/sys v0.26.0 // indirect
golang.org/x/text v0.19.0 // indirect
golang.org/x/time v0.7.0 // indirect
google.golang.org/genproto v0.0.0-20241015192408-796eee8c2d53 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53 // indirect
google.golang.org/protobuf v1.35.1 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
rsc.io/tmplfunc v0.0.3 // indirect
)
Loading