Skip to content
This repository has been archived by the owner on Mar 26, 2018. It is now read-only.

Don't use hard coded keys for client side state #460

Closed
zregvart opened this issue Jul 26, 2017 · 1 comment
Closed

Don't use hard coded keys for client side state #460

zregvart opened this issue Jul 26, 2017 · 1 comment

Comments

@zregvart
Copy link
Member

Client side state persistence is using hard coded keys in application.yml, they should unique per install and possibly should be rotated periodically.

Things to think about:

  • do we need this statically or dynamically (think regenerate keys every n days)
  • do we do this via k8s secrets
  • if dynamically how to handle the transition (need n-1 keys)
  • if dynamically then we need key distribution (spring cloud k8s, but it reloads the app context)

See #459 (review)
@zregvart
Copy link
Member Author

If not specified in the configuration (i.e. environment) the backend now defaults to randomly generated keys. Still needs some thought on how to properly store the keys across restarts and cwithin a cluster and how to rotate the keys.

@zregvart zregvart mentioned this issue Jul 28, 2017
Closed
@syndesis-bot syndesis-bot mentioned this issue Nov 15, 2017
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zregvart