Hi, We give each app a private/public key pair, and let the developers encrypt any environment variable with their app's public key (we also base64 encode the ciphertext). Then instead of calling the usual "/bin/sh", we call a small bash wrapper script which decrypts the desired environment variables prior to running the app.
Note that our cluster is managed by Chef, so we ensure that: - both the user and the private key are set up - each app is running as its own user - each app may access only its own private key As an added bonus, the wrapper script: - wraps stdout and stderr and forwards them to the local syslog (which then forwards them to Elasticsearch) - automatically decrypts any environment variable that starts with "SECRET_" (so they don't have to specify anything when calling the command) Hope this gives you an idea or two, Cheers, Robert On 11 January 2016 at 15:04, Erb, Stephan <[email protected]> wrote: > Hi everyone, > > I'd like to explore mechanisms to provide secrets to applications deployed on > Mesos (e.g. via Marathon or Apache Aurora). > > The classical workflow of having the passwords encrypted in the local git > repository and only decrypted during deployment (for example via ansible > vault) tends to fall too short. From the user perspective the deployment is > done once its job has been submitted to the service scheduler. Then however, > the passwords would be unsecured when traveling through the various Mesos and > scheduler layers. It might potentially been visible to anyone having access > to either the scheduler or the Mesos UI. > > One possible solution is to provide an out-of-band mechanism to distribute > passwords to all slaves and to protect those passwords using the regular > Linux permissions, making them only accessible to authorized tasks. Other > solutions might involve the integration of tools like HashiCorp Vault or > Square Keywhiz. > > Is anyone willing to share his/her experience with handling such secrets? > > Thanks and Best Regards, > Stephan
