I'm in favor of the first approach where the Secret is created as a file in a volume in the pod. This will allow us to support Kubernetes versions older than 1.2 (which was released few weeks ago).
We can enable a parameter in the deploy.sh script which would allow the user to input the Keystore password. The script can then create a Kubernetes Secret itself without user intervention. IMO this would ease the process for the user a lot. WDYT? Regards, Chamila de Alwis Committer and PMC Member - Apache Stratos Software Engineer | WSO2 | +94772207163 Blog: code.chamiladealwis.com On Tue, Apr 5, 2016 at 5:16 PM, Thanuja Uruththirakodeeswaran < [email protected]> wrote: > Hi All, > > We need to pass the key store password to kubernetes containers when > starting a wso2 server with secure vault enabled. In order to do that, we > can use kubernetes secret [1] and can consume them in two ways: > > 1. using secret volume [2] > 2. expose them as environment variables > > For both approaches we need to add the key store password as secret with > base64 encoded value as in [3] and have to use one of the above approach to > add it to replication controller. > > In the first approach, we can consume the secret using secret volume and > mount it to preferred path as in [4]. It will create a file with the name > of the secret key in the specified path and we can create the password-tmp > by reading that file in docker entrypoint script [5]. In order to do that, > we need to do modification in docker entrypoint script which currently > supports only environment variable to pass key store password and have to a > dockerfiles patch release. > > In the second approach, we can expose the secret as environment variables > to containers as in [6]. For this approach, we don't need any modifications > in entrypoint.sh but exposing secrets as environment variable is supported > in kubernetes 1.2.0 afterwards. But if we want to support kubernetes 1.1.x, > we have to pass the key store password in plain text as environment > variable which is not good. > > @ team: Which method is better to incorporate for kubernetes-artifacts > release. Please give your suggestions on this. > > Thanks. > > [1]. http://kubernetes.io/docs/user-guide/secrets/ > [2]. http://kubernetes.io/docs/user-guide/volumes/#secret > [3]. > https://github.com/Thanu/kubernetes-artifacts/blob/kub-secret-for-key-store-password/wso2esb/secret.yaml > [4]. > https://github.com/Thanu/kubernetes-artifacts/blob/kub-secret-for-key-store-password/wso2esb/wso2esb-default-controller.yaml > [5]. > https://github.com/wso2/dockerfiles/blob/master/common/scripts/entrypoint.sh > [6]. > https://github.com/Thanu/kubernetes-artifacts/blob/kub-secret-for-key-store-password/wso2esb/wso2esb-default-controller.yaml#L42-L48 > > > On Sat, Feb 27, 2016 at 9:45 PM, Thanuja Uruththirakodeeswaran < > [email protected]> wrote: > >> Hi All, >> >> I have updated the puppet modules for secure vault support. Please review >> and merger the p/r [1]. I'll send a p/r for kubernetes-artifacts repo with >> the changes needed to pass the key store password. I have done the changes >> to pass key store password as environment variable for standalone docker >> containers. Currently I'm working on passing the password as kubernetes >> secret and will send a p/r for this soon. >> >> [1]. https://github.com/wso2/puppet-modules/pull/16 >> >> Thanks. >> >> On Sun, Feb 21, 2016 at 12:24 PM, Imesh Gunaratne <[email protected]> wrote: >> >>> >>> >>> On Sun, Feb 21, 2016 at 8:05 AM, Thanuja Uruththirakodeeswaran < >>> [email protected]> wrote: >>> >>>> Hi All, >>>> >>>> Currently I'm working on $subject by running cipher tool and user will >>>> be able to build a docker image for a wso2 product which will have secured >>>> password in config files. >>>> >>>> In order to do the subject, we need to add cipher-tool.properties, >>>> cipher-text.properties and password-tmp file templates to puppet module. I >>>> thought of encrypting the passwords using the cipher tool after we execute >>>> puppet apply in Docker files [1]. >>>> >>> >>> Yes IMO this is the best option. Docker image build process use puppet >>> for configuring the product, once the configuration is done run secure >>> vault and secure all credentials. >>> >>> When the container starts we will need to send the password either using >>> an environment variable (in Docker) or via a K8S secret (in K8S) and create >>> the password text file. Then we can start the server. >>> >>> Thanks >>> >>>> >>>> Applying secure vault while building the docker image will be easy and >>>> efficient way compared to manually running the cipher tool and updating >>>> puppet module templates before building the docker image. >>>> >>>> I'll update this thread about the progress. Highly appreciate your >>>> suggestions on this. >>>> >>>> [1]. >>>> https://github.com/wso2/kubernetes-artifacts/blob/master/wso2esb/docker/Dockerfile#L40 >>>> >>>> Thanks. >>>> >>>> -- >>>> Thanuja Uruththirakodeeswaran >>>> Software Engineer >>>> WSO2 Inc.;http://wso2.com >>>> lean.enterprise.middleware >>>> >>>> mobile: +94 774363167 >>>> >>> >>> >>> >>> -- >>> *Imesh Gunaratne* >>> Senior Technical Lead >>> WSO2 Inc: http://wso2.com >>> T: +94 11 214 5345 M: +94 77 374 2057 >>> W: http://imesh.gunaratne.org >>> Lean . Enterprise . Middleware >>> >>> >> >> >> -- >> Thanuja Uruththirakodeeswaran >> Software Engineer >> WSO2 Inc.;http://wso2.com >> lean.enterprise.middleware >> >> mobile: +94 774363167 >> > > > > -- > Thanuja Uruththirakodeeswaran > Software Engineer > WSO2 Inc.;http://wso2.com > lean.enterprise.middleware > > mobile: +94 774363167 >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
