Skip to content
This repository was archived by the owner on Oct 6, 2019. It is now read-only.

Configuration

Jump to bottom
Tony Cai edited this page Jan 23, 2018 · 17 revisions

Deploy-time configurations

These settings are not changeable after launch

Run-time configurations

Goldfish will read these settings every minute from the runtime_config deployment config. If well-formed, goldfish will hot-reload the settings, and write back Last Updated field.

See the online demo for examples of these settings. Some are optional.

Basic [required]

  • DefaultSecretPath: the path that is loaded by default on Secrets page
  • TransitBackend: the transit backend that goldfish will use for encryption/decryption
  • UserTransitKey: the key in TransitBackend used by Transit page.
    • Individual users must be granted access to this in order to use the tool.
  • BulletinPath: the vault generic backend path that stores bulletins to be displayed. Check the demo for an example
  • LastUpdated: when goldfish loads configuration without error, it will try to update this with a timestamp
    • Because this can be overwritten by other operators, it should not be considered a source of truth - it's only a feedback as to whether your configuration was well formed or not

Slack integration [optional]

  • SlackWebhook: if a well-formed slack incoming webhook is placed here, new policy change requests will trigger the change ID to be sent to a specified channel. No secret details from the policy will be sent this way.
  • SlackChannel: a singular channel or user to notify. E.g. @tonyc or #teamA

GitHub integration [optional]

  • GithubAccessToken: for security reasons, either lock down the goldfish config path or create a technical github user with no write privileges to generate this access token. At minimum, this access token should be able to read the repo.
  • GithubRepoOwner: this is either the account name or the org name in which the repo is under
    • E.g. caiyeon
  • GithubRepo: self-explanatory
    • E.g. goldfish
  • GithubPoliciesPath: path in the repo in which the .hcl files reside.
    • E.g. on goldfish repo, this would be vagrant/policies.
    • Only .hcl files will be scanned. Currently .json policy files are not supported.
    • Overwriting default policy by having a default.hcl file is supported. However, if a file is called root.hcl, it will be ignored. Why would you ever do that??

Transit encryption [Optional]

  • ServerTransitKey: the key in TransitBackend used to encrypt/decrypt user credentials.
    • Control this tightly (preferably, only allow goldfish to access this) Goldfish can use transit encryption for user credentials
vault mount transit

# initialize the transit key
vault write -f transit/keys/goldfish

# add key 'ServerTransitKey' to goldfish runtime settings
vault write secret/goldfish ServerTransitKey="goldfish" # plus other existing key value pairs

# goldfish will reload settings every minute and start using the key
Clone this wiki locally