Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better secrets control #35

Open
zs-ko opened this issue Aug 22, 2023 · 2 comments
Open

Better secrets control #35

zs-ko opened this issue Aug 22, 2023 · 2 comments

Comments

@zs-ko
Copy link

zs-ko commented Aug 22, 2023

Currently the helm is reading secrets trough environment variables. This limits the way we can inject secrets into the deployment.

Add support for reading secrets from files.
Add Env variables that point to files instead of directly to the secret value
DATABASE_URL_FILE="/some/container/path/file"

This will also adapt to different secret management methods. Like when using Hashicorp vault and dynamic database credentials
@rubenfiszel
Copy link
Contributor

@zs-ko apologies but could you give more examples, I'm a better backend engineer than devops and just want to make sure I understand the issue and proposed solution :)

@zs-ko
Copy link
Author

zs-ko commented Aug 22, 2023
edited
Loading

@rubenfiszel

Sure.

So when loading secrets from something like vault it is mostly rended as a simple key value.
In case of a database credential in Vault, will return 2 fields username and password. both could be unkown.

We can then either mount these files directly to the container on a path
/vault/secretname/username and /vault/secretname/password
Sync it to a secret
username: someuser
password: somepassword

or rended it trough a template language (Not supported by all secret secret providers/vaults)
In case of vaul we could generate an annotation that tells the system. Hey when this pod is staring up, add a sidecar and inject the secret into the following path with the following format. example

    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/agent-revoke-on-shutdown: "true"
    vault.hashicorp.com/agent-inject-secret-db: db/windmill/creds/windmill
    vault.hashicorp.com/role: windmill
    vault.hashicorp.com/agent-init-first: "true" # load secret as first container
    vault.hashicorp.com/agent-inject-template-db: |
      {{- with secret "db/windmill/creds/windmill" -}}
        postgres://{{ .Data.username }}:{{ .Data.password }}@database.windmill.svc.cluster.local:5432/windmill?sslmode=require
      {{- end }}

By allowing the secret to be defined in that manner you will need to start windmill with a script to inject the secret or add flags to windmill to support this kind of configuration.

DATABASE_URL=$(cat "$DATABASE_URL_PATH") windmill

This could also be used for other parameters as well. OAUTH_SECRET_FILE and so on.
It is also recommended to read secrets from file rather than the env since acessing env variables across pods is actually possible.

Example env from the database pod in namespace windmill exposing windmill pods env

Defaulted container "postgres" out of: postgres, bootstrap-controller (init)
$ env
PGPORT=5432
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT=443
WINDMILL_APP_SERVICE_HOST=10.107.54.222
HOSTNAME=windmill-1
POSTGIS_MAJOR=3
WINDMILL_LSP_PORT_3001_TCP_ADDR=10.109.100.20
HOME=/var/lib/postgresql
WINDMILL_APP_PORT_8000_TCP=tcp://10.107.54.222:8000
WINDMILL_R_SERVICE_PORT_POSTGRES=5432
WINDMILL_LSP_PORT_3001_TCP_PORT=3001```

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rubenfiszel @zs-ko