On Thu, Oct 3, 2019 at 10:35 AM Ken Giusti <kgiu...@redhat.com> wrote:
> On Thu, Oct 3, 2019 at 9:48 AM Ganesh Murthy <gmur...@redhat.com> wrote: > > > Hello All, > > The router has an attribute called password in the sslProfile > entity. > > In version 1.2, this attribute was deprecated in favor of the > passwordFile > > attribute where you specify the absolute path of the file containing the > > password. It is good practice to not put the plain text password directly > > in the router config file. > > > > In the password field or in the file containing the password, you could > add > > prefixes like env: and literal: and follow it with an environment > variable > > containing the password or a literal password respectively. > > > > To simplify all this, I am proposing that we deprecate the passeordFile > > field and consolidate all password scenarios to use the password field. > We > > will use the password options that openssl > > <https://www.openssl.org/docs/man1.1.1/man1/openssl.html> uses (see Pass > > Phrase Options sections). > > > Just to clarify my understanding: > > The openssl implementation also supports the prefixes "fd:" and the value > "stdin". I'm assuming the router would not support these, correct? > I'm not asking for "fd:" or "stdin" to be supported btw. Just want to be > sure. > My bad. I should have been clearer. No, we are not going to be supporting the fd: and stdin prefixes. > > > > > Going forward, here are three ways to specify a > > password in an sslProfile > > > > sslProfile { > > caCertFile: ..... > > certFile: ..... > > # Get the password from the environment variable > TLS_SERVER_PASSWORD. > > Note the env: prefix > > *password: env:TLS_SERVER_PASSWORD * > > OR > > # Get the password from the absolute file path. Note the file: > prefix > > *password: file:/home/tls/password-file.txt * > > OR > > # Specify the actual password. Note the pass: prefix > > *password: pass:actual_password * > > } > > > > While you can still specify the actual password in the password field > using > > the pass: prefix, which casual users might want to do, you are also able > to > > specify the file path or environment variable for more robust security. > > > > This change will be backward compatible which means, you will still be > able > > to specify the actual password in the password field without the pass: > > prefix. The passwordFile field will be deprecated and eventually removed > > when we to a major version. > > > > > Will "literal:" be deprecated in favor of "pass:" then? > Yes. But literal: will continue to work until we move to the next major version. Thanks. > > > > > Please let me know your thoughts. > > > > Thanks. > > > > > -- > -K >