faaso/docs/secrets.md

50 lines
1.8 KiB
Markdown
Raw Normal View History

2024-07-01 12:48:29 +00:00
# Ideas about secret management
It's a bad idea to store secrets in a docker image.
However, code running in docker containers like a funko does often needs
access to secrets, such as passwords to databases. Let's use that as the
example secret for the rest of the document.
2024-07-01 13:16:48 +00:00
Also, not all funkos should have access to all the secrets, and the
2024-07-01 12:48:29 +00:00
"need to know" should be declarative in the funko's metadata.
2024-07-01 13:16:48 +00:00
## Problem 1: accessing secrets in the proxy container from the funkos
2024-07-01 12:48:29 +00:00
Let's further assume that faaso-proxy has access *somehow* to all the secrets,
identified by a name. So there is a "dbpass" secret that has "verysecret" as
it's very secret content.
Also let's assume the proxy has access to a folder in the server filesystem,
`/secrets` via something like a bind mount.
2024-07-01 13:16:48 +00:00
If the proxy has access to the funko metadata, it can access a declaration of
what secrets the funko needs.
Alternatively ... convention!
Secrets for the funko foo are called foo-{name}, so our example is called foo-dbpass.
So, the proxy can periodically examine its secret store and populate a folder
`/secrets/foo` with a `dbpass` file containing "verysecret".
If on starting a funko we always do a bind mount of `/secrets/foo` to `/secrets`
then it will always have its secrets in place.
2024-07-09 01:02:47 +00:00
## Problem 2: how can the proxy know the secrets without keeping them in the image
2024-07-01 13:16:48 +00:00
They can't be shipped via the image, so they need to be injected via the admin API.
Let's give it a /secret endpoint and have all the usual REST stuff there.
## The Good
* It should work
* No secrets are unencrypted at rest in images
## The Bad
* Secrets are unencrypted at rest in the server filesystem
* Secrets are only sort-of-persistent? If the proxy is restarted, it will need
the secrets reinjected, or we need a persistent secret store in the server filesystem.