README

Astral is an api-only application intended to simplify certificate acquisition and secrets storage. Invoking a single endpoint can issue an mTLS certificate or fetch a secret for applications in your environment, without any need to configure the underlying PKI or secrets storage (Vault).

Some features of Astral:

Configure Astral-specific Certificate Authority and Key-Value stores in Vault
Authenticate requests for cerficates or secrets using a third party trusted source (JWT with signing key, eg)
For certiciates: a) Authorize the request using a Domain Ownership registry, where domain owner or authorized groups must match the identity of the requesting client b) When authorized, obtain a certificate for the common name
For secrets: a) Create secrets with a policy for reading b) Read only when the requesting client identity has the policy.
Log all transactions in audit infrastructure (ELK, etc).

Running in development

This Rails app is most easily run and developed in its devcontainer, which includes Vault and a Domain Ownership registry (AppRegistry) in the compose environment.

Open in devcontainer (automatic in vscode)
Launch server using vscode launch config, or in the terminal run:

rails s

POST /certificates to acquire cert (need to provide common_name param):

curl -X POST http://localhost:3000/certificates \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsIm5hbWUiOiJKb2huIERvZSIsImlhdCI6MTUxNjIzOTAyMiwiZ3JvdXBzIjpbImdyb3VwMSIsImdyb3VwMiJdLCJhdWQiOiJhc3RyYWwifQ.tfRLXmE_eq-piP88_clwPWrYfMAQbCJAeZQI6OFxZSI" \
-H "Content-type: application/json" \
-d "{ \"cert_issue_request\": { \"common_name\": \"example.com\" } }"

POST and GET /secrets to save and fetch a secret:

curl -X POST http://localhost:3000/secrets \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsIm5hbWUiOiJKb2huIERvZSIsImlhdCI6MTUxNjIzOTAyMiwiZ3JvdXBzIjpbImdyb3VwMSIsImdyb3VwMiJdLCJhdWQiOiJhc3RyYWwifQ.tfRLXmE_eq-piP88_clwPWrYfMAQbCJAeZQI6OFxZSI" \
-H "Content-type: application/json" \
-d "{\"secret\": { \"path\":\"some/path\", \"data\": {\"password\": \"s3crit\"} } }"

curl http://localhost:3000/secrets/some/path \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsIm5hbWUiOiJKb2huIERvZSIsImlhdCI6MTUxNjIzOTAyMiwiZ3JvdXBzIjpbImdyb3VwMSIsImdyb3VwMiJdLCJhdWQiOiJhc3RyYWwifQ.tfRLXmE_eq-piP88_clwPWrYfMAQbCJAeZQI6OFxZSI"

Run the tests from devcontainer terminal:

rails test

Running the prod image (local build):

Build the prod image:

docker build -t astral:latest .

Run the prod image:

docker run -p 3000:3000 astral:latest

Name		Name	Last commit message	Last commit date
Latest commit History 110 Commits
.devcontainer		.devcontainer
.github		.github
app		app
bin		bin
config		config
db		db
doc/openapi		doc/openapi
helm		helm
lib/tasks		lib/tasks
log		log
public		public
storage		storage
test		test
tmp		tmp
vendor		vendor
.dockerignore		.dockerignore
.gitattributes		.gitattributes
.gitignore		.gitignore
.rubocop.yml		.rubocop.yml
.ruby-version		.ruby-version
Dockerfile		Dockerfile
Gemfile		Gemfile
Gemfile.lock		Gemfile.lock
LICENSE		LICENSE
README.md		README.md
Rakefile		Rakefile
config.ru		config.ru

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

README

Running in development

Running the prod image (local build):

About

Releases

Packages

Contributors 5

Languages

License

G-Research/astral

Folders and files

Latest commit

History

Repository files navigation

README

Running in development

Running the prod image (local build):

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Contributors 5

Languages

Packages