On Tue, Apr 5, 2016 at 5:24 PM, Chamila De Alwis <[email protected]> wrote:
> I'm in favor of the first approach where the Secret is created as a file > in a volume in the pod. This will allow us to support Kubernetes versions > older than 1.2 (which was released few weeks ago). > > We can enable a parameter in the deploy.sh script which would allow the > user to input the Keystore password. The script can then create a > Kubernetes Secret itself without user intervention. IMO this would ease the > process for the user a lot. WDYT? > +1 A good thought! > > > Regards, > Chamila de Alwis > Committer and PMC Member - Apache Stratos > Software Engineer | WSO2 | +94772207163 > Blog: code.chamiladealwis.com > > > > On Tue, Apr 5, 2016 at 5:16 PM, Thanuja Uruththirakodeeswaran < > [email protected]> wrote: > >> Hi All, >> >> We need to pass the key store password to kubernetes containers when >> starting a wso2 server with secure vault enabled. In order to do that, we >> can use kubernetes secret [1] and can consume them in two ways: >> >> 1. using secret volume [2] >> 2. expose them as environment variables >> >> For both approaches we need to add the key store password as secret with >> base64 encoded value as in [3] and have to use one of the above approach to >> add it to replication controller. >> >> In the first approach, we can consume the secret using secret volume and >> mount it to preferred path as in [4]. It will create a file with the name >> of the secret key in the specified path and we can create the password-tmp >> by reading that file in docker entrypoint script [5]. In order to do that, >> we need to do modification in docker entrypoint script which currently >> supports only environment variable to pass key store password and have to a >> dockerfiles patch release. >> >> In the second approach, we can expose the secret as environment variables >> to containers as in [6]. For this approach, we don't need any modifications >> in entrypoint.sh but exposing secrets as environment variable is supported >> in kubernetes 1.2.0 afterwards. But if we want to support kubernetes 1.1.x, >> we have to pass the key store password in plain text as environment >> variable which is not good. >> >> @ team: Which method is better to incorporate for kubernetes-artifacts >> release. Please give your suggestions on this. >> >> Thanks. >> >> [1]. http://kubernetes.io/docs/user-guide/secrets/ >> [2]. http://kubernetes.io/docs/user-guide/volumes/#secret >> [3]. >> https://github.com/Thanu/kubernetes-artifacts/blob/kub-secret-for-key-store-password/wso2esb/secret.yaml >> [4]. >> https://github.com/Thanu/kubernetes-artifacts/blob/kub-secret-for-key-store-password/wso2esb/wso2esb-default-controller.yaml >> [5]. >> https://github.com/wso2/dockerfiles/blob/master/common/scripts/entrypoint.sh >> [6]. >> https://github.com/Thanu/kubernetes-artifacts/blob/kub-secret-for-key-store-password/wso2esb/wso2esb-default-controller.yaml#L42-L48 >> >> >> On Sat, Feb 27, 2016 at 9:45 PM, Thanuja Uruththirakodeeswaran < >> [email protected]> wrote: >> >>> Hi All, >>> >>> I have updated the puppet modules for secure vault support. Please >>> review and merger the p/r [1]. I'll send a p/r for kubernetes-artifacts >>> repo with the changes needed to pass the key store password. I have done >>> the changes to pass key store password as environment variable for >>> standalone docker containers. Currently I'm working on passing the password >>> as kubernetes secret and will send a p/r for this soon. >>> >>> [1]. https://github.com/wso2/puppet-modules/pull/16 >>> >>> Thanks. >>> >>> On Sun, Feb 21, 2016 at 12:24 PM, Imesh Gunaratne <[email protected]> >>> wrote: >>> >>>> >>>> >>>> On Sun, Feb 21, 2016 at 8:05 AM, Thanuja Uruththirakodeeswaran < >>>> [email protected]> wrote: >>>> >>>>> Hi All, >>>>> >>>>> Currently I'm working on $subject by running cipher tool and user will >>>>> be able to build a docker image for a wso2 product which will have secured >>>>> password in config files. >>>>> >>>>> In order to do the subject, we need to add cipher-tool.properties, >>>>> cipher-text.properties and password-tmp file templates to puppet module. >>>>> I >>>>> thought of encrypting the passwords using the cipher tool after we execute >>>>> puppet apply in Docker files [1]. >>>>> >>>> >>>> Yes IMO this is the best option. Docker image build process use puppet >>>> for configuring the product, once the configuration is done run secure >>>> vault and secure all credentials. >>>> >>>> When the container starts we will need to send the password either >>>> using an environment variable (in Docker) or via a K8S secret (in K8S) and >>>> create the password text file. Then we can start the server. >>>> >>>> Thanks >>>> >>>>> >>>>> Applying secure vault while building the docker image will be easy and >>>>> efficient way compared to manually running the cipher tool and updating >>>>> puppet module templates before building the docker image. >>>>> >>>>> I'll update this thread about the progress. Highly appreciate your >>>>> suggestions on this. >>>>> >>>>> [1]. >>>>> https://github.com/wso2/kubernetes-artifacts/blob/master/wso2esb/docker/Dockerfile#L40 >>>>> >>>>> Thanks. >>>>> >>>>> -- >>>>> Thanuja Uruththirakodeeswaran >>>>> Software Engineer >>>>> WSO2 Inc.;http://wso2.com >>>>> lean.enterprise.middleware >>>>> >>>>> mobile: +94 774363167 >>>>> >>>> >>>> >>>> >>>> -- >>>> *Imesh Gunaratne* >>>> Senior Technical Lead >>>> WSO2 Inc: http://wso2.com >>>> T: +94 11 214 5345 M: +94 77 374 2057 >>>> W: http://imesh.gunaratne.org >>>> Lean . Enterprise . Middleware >>>> >>>> >>> >>> >>> -- >>> Thanuja Uruththirakodeeswaran >>> Software Engineer >>> WSO2 Inc.;http://wso2.com >>> lean.enterprise.middleware >>> >>> mobile: +94 774363167 >>> >> >> >> >> -- >> Thanuja Uruththirakodeeswaran >> Software Engineer >> WSO2 Inc.;http://wso2.com >> lean.enterprise.middleware >> >> mobile: +94 774363167 >> > > -- *Imesh Gunaratne* Senior Technical Lead WSO2 Inc: http://wso2.com T: +94 11 214 5345 M: +94 77 374 2057 W: http://imesh.io Lean . Enterprise . Middleware
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
