New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secret Management #1269
Comments
Maybe I'm late to drop in, but I'm stuck with exactly this. I hope this is the right issue to comment on out of: #2060 #1971 #186 #744 From a Docker perspective, its on the radar: moby/moby#13490 Having had a closer look at http://square.github.io/keywhiz/ and https://vaultproject.io I would suggest vault as it excels in UI over the other, also we have seen good stuff from hashicorp in the past. I'm not so much into the Rancher System Docker Daemon yet, so this might seem silly, anyhow, I'll copy for reference a minimal configuration of a vault server. This could go into the rancherOS istself, while using the excisting rancher distributed storage mechanisms...
See also for docker-specifics: hashicorp/vault#165 And how to deploy: https://vaultproject.io/intro/getting-started/deploy.html |
What is rancher current stance on Secret Management? Where do I put my my access tokens, database passwords? |
+1, this needs to be addressed. :) |
+1 I guess 1.0 will be released not soon |
+1 definitely need this feature |
👍 |
3 similar comments
+1 |
+1 |
+1 |
+1 |
+1 |
+1 |
any news on this ? |
+1 |
1 similar comment
+1 |
+1 |
+1 |
FlexVols are nice but that requires an init script in the container that will fetch the secrets from the vol and inject them as environment variables before starting the actual program. This makes using community images from docker hub almost impossible. It would be nice if the secrets bridge could inject a secret into a container at run time. For example you give rancher the two files docker-compose
rancher-compose
Then before executing that docker compose file rancher would add in the full value of the DATABASE_PASSWORD, generating:
In the ui, when you click to see the docker and rancher compose files you would see the un-interpolated versions. Finally rancher would know which stacks are allowed to access which paths because when you created them with the command Is there some major security loophole this would introduce that I am not seeing? |
+1 |
Maybe this is interesting for this topic: moby/moby#27794 |
I have a few recommendations ...
|
+1 |
We are targeting to have an experimental version of secrets management available in 1.4.0. |
@galal-hussein Can you test with the next rancher RC v1.4.0-rc4? |
Rancher version 1.4.0-rc8, tested secret management workflow for both localkey and vault backends, all test cases passed successfully. |
Multiple requests for being able to automatically inject these secrets into the environment... Did that request see any progress? |
+1 |
Rancher needs to be able to support a way to store secrets securely (db passwords, api credentials, etc.) and then let it be made available to containers and services.
Revised: 8/26/2016
Flow will look something like:
rancher secret create name [—from-file file ] [plaintext]
creating a secret scoped to a Rancher environment.
The text was updated successfully, but these errors were encountered: