SSL keystore/truststore dirs and configuration values #3
Comments
We should actually build a base jinja template which includes all shared configuration values such as ZOOKEEPER_CONNECT. Then each service can simply extend this speeding up initial setup of a service within the docker repo. |
In general, it is not recommended to use ENV vars for secrets in docker. There is lot of discussion on the issue of managing secrets in docker. I have summarized it below TL;DRPassing secrets in env vars is bad. The best way for making secrets available to the container is using volumes (Kubernetes does it this way). The basic idea is that you create a mount point for secrets, something like /etc/secrets and the provisioning system puts the secrets in a volume and maps it to the docker container. So, if you are doing it manually for Kafka, you would create a directory on the host, add JKS file and credentials (in a file) and map this directory to /etc/secrets. The configure script will read this dir and add the credentials to the config. There are various ways of storing secrets and mounting them on a volume for the container, some of which are linked in "Secret management in Docker" section below. Why ENV vars are bad for runtime secrets ?
General discussion on "Secrets in docker"
Secret management in Kubernetes:Secret management in Docker
|
@theduderog what's your take on this ? |
I agreed that ENV vars are not a good way to pass secrets to containers b/c they're easy to leak. It seems like managing secrets in Docker is similar to "service discovery" in that there is no standard way to do it. Perhaps our default could be to expect a volume to be mounted with the secrets present but we need to allow people to plugin arbitrary code to get their secrets. I guess they can do it by overriding the "configure" step? |
Makes sense to me |
Implemented in #11. |
We should manage most of the SSL configuration and directories within the base image. This makes life easier in the long run.
ENV:
-ssl.keystore.location
-ssl.keystore.password
-ssl.key.password
BASH:
mkdir -p /ssl/keys /ssl/trusts
My understanding is that each containers has it's own layer isolating it from other containers. If this is correct each will still have their own keystore/truststore so key conflicts should not arise.
The text was updated successfully, but these errors were encountered: