Hi All, We need to pass the key store password to kubernetes containers when starting a wso2 server with secure vault enabled. In order to do that, we can use kubernetes secret [1] and can consume them in two ways:
1. using secret volume [2] 2. expose them as environment variables For both approaches we need to add the key store password as secret with base64 encoded value as in [3] and have to use one of the above approach to add it to replication controller. In the first approach, we can consume the secret using secret volume and mount it to preferred path as in [4]. It will create a file with the name of the secret key in the specified path and we can create the password-tmp by reading that file in docker entrypoint script [5]. In order to do that, we need to do modification in docker entrypoint script which currently supports only environment variable to pass key store password and have to a dockerfiles patch release. In the second approach, we can expose the secret as environment variables to containers as in [6]. For this approach, we don't need any modifications in entrypoint.sh but exposing secrets as environment variable is supported in kubernetes 1.2.0 afterwards. But if we want to support kubernetes 1.1.x, we have to pass the key store password in plain text as environment variable which is not good. @ team: Which method is better to incorporate for kubernetes-artifacts release. Please give your suggestions on this. Thanks. [1]. http://kubernetes.io/docs/user-guide/secrets/ [2]. http://kubernetes.io/docs/user-guide/volumes/#secret [3]. https://github.com/Thanu/kubernetes-artifacts/blob/kub-secret-for-key-store-password/wso2esb/secret.yaml [4]. https://github.com/Thanu/kubernetes-artifacts/blob/kub-secret-for-key-store-password/wso2esb/wso2esb-default-controller.yaml [5]. https://github.com/wso2/dockerfiles/blob/master/common/scripts/entrypoint.sh [6]. https://github.com/Thanu/kubernetes-artifacts/blob/kub-secret-for-key-store-password/wso2esb/wso2esb-default-controller.yaml#L42-L48 On Sat, Feb 27, 2016 at 9:45 PM, Thanuja Uruththirakodeeswaran < [email protected]> wrote: > Hi All, > > I have updated the puppet modules for secure vault support. Please review > and merger the p/r [1]. I'll send a p/r for kubernetes-artifacts repo with > the changes needed to pass the key store password. I have done the changes > to pass key store password as environment variable for standalone docker > containers. Currently I'm working on passing the password as kubernetes > secret and will send a p/r for this soon. > > [1]. https://github.com/wso2/puppet-modules/pull/16 > > Thanks. > > On Sun, Feb 21, 2016 at 12:24 PM, Imesh Gunaratne <[email protected]> wrote: > >> >> >> On Sun, Feb 21, 2016 at 8:05 AM, Thanuja Uruththirakodeeswaran < >> [email protected]> wrote: >> >>> Hi All, >>> >>> Currently I'm working on $subject by running cipher tool and user will >>> be able to build a docker image for a wso2 product which will have secured >>> password in config files. >>> >>> In order to do the subject, we need to add cipher-tool.properties, >>> cipher-text.properties and password-tmp file templates to puppet module. I >>> thought of encrypting the passwords using the cipher tool after we execute >>> puppet apply in Docker files [1]. >>> >> >> Yes IMO this is the best option. Docker image build process use puppet >> for configuring the product, once the configuration is done run secure >> vault and secure all credentials. >> >> When the container starts we will need to send the password either using >> an environment variable (in Docker) or via a K8S secret (in K8S) and create >> the password text file. Then we can start the server. >> >> Thanks >> >>> >>> Applying secure vault while building the docker image will be easy and >>> efficient way compared to manually running the cipher tool and updating >>> puppet module templates before building the docker image. >>> >>> I'll update this thread about the progress. Highly appreciate your >>> suggestions on this. >>> >>> [1]. >>> https://github.com/wso2/kubernetes-artifacts/blob/master/wso2esb/docker/Dockerfile#L40 >>> >>> Thanks. >>> >>> -- >>> Thanuja Uruththirakodeeswaran >>> Software Engineer >>> WSO2 Inc.;http://wso2.com >>> lean.enterprise.middleware >>> >>> mobile: +94 774363167 >>> >> >> >> >> -- >> *Imesh Gunaratne* >> Senior Technical Lead >> WSO2 Inc: http://wso2.com >> T: +94 11 214 5345 M: +94 77 374 2057 >> W: http://imesh.gunaratne.org >> Lean . Enterprise . Middleware >> >> > > > -- > Thanuja Uruththirakodeeswaran > Software Engineer > WSO2 Inc.;http://wso2.com > lean.enterprise.middleware > > mobile: +94 774363167 > -- Thanuja Uruththirakodeeswaran Software Engineer WSO2 Inc.;http://wso2.com lean.enterprise.middleware mobile: +94 774363167
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
