git - How to manage secrets in a Microservice / Container / Cloud environment? -

-

microservices , cloud thing. talking , writing about. thinking lot topics: how can used benefit from? possible challenges? how can speedup daily development? , how manage things? 1 question bothers me since few days "how manage secrets in microservice / cloud environment?".

imagine company 150 software engineers , various teams various products. every team creating software , every service needs various amounts of secrets (api-keys, passwords, ssh-keys, whatever). "old fashion" way create few configuration files in ini / yaml / txt format , read from. 12factor apps say: per env vars.

env vars can set per machine , config files can placed there well. works if got hand full of machines , deployment done few system admins. 1 of general rules say: "don`t store secrets in git repo.".

now new world comes in. ever team responsible application produce itself. should deployed , run team. our company moving container , self-service way (e.g. mesos , marathon or kubernetes).

of course, dockerfiles can set env vars well. , yes, can add config file docker container during build. can access secrets (e.g. other teams). , no 1 knows uses secrets , dangerous.

you want versionize dockerfiles well. , applications want run on marathon should versionized (git or whatever) (and applied rest api). store , manage secrets containers / apps? because scheduler frameworks swarm , machine (for docker), mesos , marathon (usable docker well) or kubernetes don`t know app running. scheduled on several machines. , of tools have no authentification (by default, of course can added nginx proxy or something).

one idea manage secrets using tool vault. never saw "native" support in app. same applies blackbox. , don`t know how configuration management can solve this. know chef supports encrypted databags, afaik not possible use chef setup/build docker containers.

how manage secrets in multi team env several engineers in microservice / container / cloud environment?

there several solutions.

first, do not put secrets image. that's bad idea, you've realized. if don't add secrets @ build time, have @ run-time. leaves few options:

  • use environment variables suggested 12 factor app. need write script populate config files values of these variables when container starts up. works, don't it, environment variables leaked (they can seen in linked containers , docker inspect , included in bug reports). see summon.

  • use volumes. mount config file secrets @ run-time. works, mean have file secrets lying on host. gets more complicated when don't know on host container run, such when using frameworks swarm , mesos.

  • use secure k/v store such vault/keywhiz. point out, need scripting values application (as env vars). need authenticate k/v store somehow (you may want @ volume drivers keywhiz , vault, or use one-use token passed via env var).

kubernetes has fairly advanced support secrets, , expect see other frameworks adopt own solutions.


Comments

Post a Comment

Popular posts from this blog

javascript - Slick Slider width recalculation -

-
i'm trying add slide in panel on slick container css. carousel works except new width not being calculated when space has been added. recalibrate once advance next slide i'd happen each time panel opened or closed. i've tried adding both margin , padding, neither makes difference. ideas? https://jsfiddle.net/mhigley/dpf7mlpl/ html: <button type="button" id="button"><i class="fa fa-arrow-right"></i></button> <aside> <h2>slide in panel</h2> <ol> <li>list item</li> <li>list item</li> <li>list item</li> <li>list item</li> <li>list item</li> </ol> </aside> <main role="main"> <div class="sections"> <section> <article> <h2>first slide</h2> <p>lorem ipsum d...
Read more

jsf - PrimeFaces Datatable - What is f:facet actually doing? -

-
looking through primefaces code in app noticed following line: <f:facet name="header">#{trainsearch.traincount} trains</f:facet> it looks overriding header, makes sense, can explain me in little more detail? what happening line of code? complete code listed below: <p:datatable id = "results" value = "#{trainsearch.trains}" var = "train" rendered="#{not empty trainsearch.trains}" styleclass = "train-search-table horizontal-border"> <f:facet name="header">#{trainsearch.traincount} trains</f:facet> <p:column headertext = "train id"> <p:panelgrid columns="1" styleclass = "train-id-grid" layout = "grid"> <h:outputtext styleclass = "train-id-label" value="#{train.traini}"/> <h:outputtex...
Read more

angular2 services - Angular 2 RC 4 Http post not firing -

-
i trying fire post request app , it's not working, tried multiple ways. don't see request being fired under network tab in chrome. not sure problem is, appreciated. import { injectable } '@angular/core'; import { http, headers } '@angular/http'; @injectable() export class userservice{ private _url="users"; constructor(private _http: http){ } checkifusernameexists(username){ return this._http.get(this._url+"/"+username) .map(response => response.json()) } createuser(user){ let headers = new headers(); headers.append('content-type', 'application/json') console.log(json.stringify(user)); return this._http.post(this._url, json.stringify(user),{headers: headers}) .map(response => response.json()) } } first need capture error , solve error: this._http.post(this._url, json.stringify(user),{headers: headers}) .subscribe( ...
Read more