Skip to main content
Quick navigation

A full field level with Vault and secret management

View the full demo in realtime

You can either follow all the steps manually, or watch the recording

Review the docker compose environment

As can be seen from docker-compose.yaml the demo environment consists of the following services:

  • gateway1
  • gateway2
  • kafka-client
  • kafka1
  • kafka2
  • kafka3
  • schema-registry
  • vault
cat docker-compose.yaml

Starting the docker environment

Start all your docker processes, wait for them to be up and ready, then run in background

  • --wait: Wait for services to be running|healthy. Implies detached mode.
  • --detach: Detached mode: Run containers in the background
docker compose up --detach --wait

Creating topic customers on gateway1

Creating on gateway1:

  • Topic customers with partitions:1 and replication-factor:1
kafka-topics \
--bootstrap-server localhost:6969 \
--replication-factor 1 \
--partitions 1 \
--create --if-not-exists \
--topic customers

Listing topics in gateway1

kafka-topics \
--bootstrap-server localhost:6969 \
--list

Adding interceptor crypto-shredding-encrypt

Let's ask gateway to encrypt messages using vault and secret management. The vault token is retrieved from your env variable ${VAULT_TOKEN}.

step-07-crypto-shredding-encrypt-interceptor.json:

{
"kind" : "Interceptor",
"apiVersion" : "gateway/v2",
"metadata" : {
"name" : "crypto-shredding-encrypt"
},
"spec" : {
"comment" : "Adding interceptor: crypto-shredding-encrypt",
"pluginClass" : "io.conduktor.gateway.interceptor.EncryptPlugin",
"priority" : 100,
"config" : {
"topic" : "customers",
"kmsConfig" : {
"vault" : {
"uri" : "http://vault:8200",
"token" : "${VAULT_TOKEN}",
"version" : 1
}
},
"fields" : [ {
"fieldName" : "password",
"keySecretId" : "vault-kms://vault:8200/transit/keys/secret-for-{{record.value.name}}",
"algorithm" : "AES128_GCM"
}, {
"fieldName" : "visa",
"keySecretId" : "vault-kms://vault:8200/transit/keys/secret-for-{{record.value.name}}",
"algorithm" : "AES128_GCM"
} ]
}
}
}
curl \
--silent \
--request PUT "http://localhost:8888/gateway/v2/interceptor" \
--header "Content-Type: application/json" \
--user "admin:conduktor" \
--data @step-07-crypto-shredding-encrypt-interceptor.json | jq

Listing interceptors

Listing interceptors on gateway1

curl \
--silent \
--request GET "http://localhost:8888/gateway/v2/interceptor" \
--user "admin:conduktor" | jq

Let's produce sample data for tom and laura

Producing 2 messages in customers in cluster gateway1

Sending 2 events

{
"name" : "laura",
"username" : "laura@conduktor.io",
"password" : "kitesurf",
"visa" : "#888999XZ",
"address" : "Dubai, UAE"
}
{
"name" : "tom",
"username" : "tom@conduktor.io",
"password" : "motorhead",
"visa" : "#abc123",
"address" : "Chancery lane, London"
}
echo '{"name":"laura","username":"laura@conduktor.io","password":"kitesurf","visa":"#888999XZ","address":"Dubai, UAE"}' | \
kafka-console-producer \
--bootstrap-server localhost:6969 \
--topic customers

echo '{"name":"tom","username":"tom@conduktor.io","password":"motorhead","visa":"#abc123","address":"Chancery lane, London"}' | \
kafka-console-producer \
--bootstrap-server localhost:6969 \
--topic customers

Let's consume the message, and confirm tom and laura are encrypted

Let's consume the message, and confirm tom and laura are encrypted in cluster gateway1

kafka-console-consumer \
--bootstrap-server localhost:6969 \
--topic customers \
--from-beginning \
--max-messages 3 \
--timeout-ms 3000 | jq

returns 2 events

{
"name" : "laura",
"username" : "laura@conduktor.io",
"password" : "AAAABQAAAAEAAABJdmF1bHQ6djE6Rk1na2VYczJFSHRxSXNSU0Q5dHJ0NXlBSW1PUGNMQjNxMjRXckJRZXpSRHdBaXV3dDJQVEpCTGVoUTYxK0E9PTpV1EQPCKQzCTwjVDdJTomgyOmFtzSMreAy4FZZSjgBAWH7evanWkpIs8c=",
"visa" : "AAAABQAAAAEAAABJdmF1bHQ6djE6Rk1na2VYczJFSHRxSXNSU0Q5dHJ0NXlBSW1PUGNMQjNxMjRXckJRZXpSRHdBaXV3dDJQVEpCTGVoUTYxK0E9PYz16ibVgxysH2VwJTHy8EGYloe4HKxdLA+VJrGUgDAJzYU5QjkT6UuD2ktP",
"address" : "Dubai, UAE"
}
{
"name" : "tom",
"username" : "tom@conduktor.io",
"password" : "AAAABQAAAAEAAABJdmF1bHQ6djE6aTdXUHd0NkZXRnlTNUJab2J6WUxlOUVXMmhGOWNnMlorQXRrQ25SeFJUdTZ2WDYzVlBFN2U3dFlmNE12QUE9PSpTPd5xc/yFtoy2B9EYMD5nI0/y4lR4oDjM/Ty60GzcgaKXkfgB2nilYT/+",
"visa" : "AAAABQAAAAEAAABJdmF1bHQ6djE6aTdXUHd0NkZXRnlTNUJab2J6WUxlOUVXMmhGOWNnMlorQXRrQ25SeFJUdTZ2WDYzVlBFN2U3dFlmNE12QUE9PSWcsTYHqmMi39UJmZtR4ggsBaDIKOmfe7tp+HQ2Nu0wHAnL2IUEL9+mzw==",
"address" : "Chancery lane, London"
}

Adding interceptor crypto-shredding-decrypt

Let's add the decrypt interceptor to decipher messages. The vault token is retrieved from your env variable ${VAULT_TOKEN}.

step-11-crypto-shredding-decrypt-interceptor.json:

{
"kind" : "Interceptor",
"apiVersion" : "gateway/v2",
"metadata" : {
"name" : "crypto-shredding-decrypt"
},
"spec" : {
"comment" : "Adding interceptor: crypto-shredding-decrypt",
"pluginClass" : "io.conduktor.gateway.interceptor.DecryptPlugin",
"priority" : 100,
"config" : {
"topic" : "customers",
"kmsConfig" : {
"vault" : {
"uri" : "http://vault:8200",
"token" : "${VAULT_TOKEN}",
"version" : 1
}
}
}
}
}
curl \
--silent \
--request PUT "http://localhost:8888/gateway/v2/interceptor" \
--header "Content-Type: application/json" \
--user "admin:conduktor" \
--data @step-11-crypto-shredding-decrypt-interceptor.json | jq

Listing interceptors

Listing interceptors on gateway1

curl \
--silent \
--request GET "http://localhost:8888/gateway/v2/interceptor" \
--user "admin:conduktor" | jq

Confirm message from tom and laura are encrypted

Confirm message from tom and laura are encrypted in cluster gateway1

kafka-console-consumer \
--bootstrap-server localhost:6969 \
--topic customers \
--from-beginning \
--max-messages 3 \
--timeout-ms 3000 | jq

returns 2 events

{
"name" : "laura",
"username" : "laura@conduktor.io",
"password" : "kitesurf",
"visa" : "#888999XZ",
"address" : "Dubai, UAE"
}
{
"name" : "tom",
"username" : "tom@conduktor.io",
"password" : "motorhead",
"visa" : "#abc123",
"address" : "Chancery lane, London"
}

Tearing down the docker environment

Remove all your docker processes and associated volumes

  • --volumes: Remove named volumes declared in the "volumes" section of the Compose file and anonymous volumes attached to containers.
docker compose down --volumes

Conclusion

Crypto shredding help you protect your most precious information