faaso/docs/secrets.md

# Ideas about secret management

It's a bad idea to store secrets in a docker image.

However, code running in docker containers like a funko does often needs
access to secrets, such as passwords to databases. Let's use that as the
example secret for the rest of the document.

Also, not all funkos should have access to all the secrets, and the
"need to know" should be declarative in the funko's metadata.

## Problem 1: accessing secrets in the proxy container from the funkos

Let's further assume that faaso-proxy has access *somehow* to all the secrets,
identified by a name. So there is a "dbpass" secret that has "verysecret" as
it's very secret content.

Also let's assume the proxy has access to a folder in the server filesystem,
`/secrets` via something like a bind mount.

If the proxy has access to the funko metadata, it can access a declaration of
what secrets the funko needs.

Alternatively ... convention!

Secrets for the funko foo are called foo-{name}, so our example is called foo-dbpass.

So, the proxy can periodically examine its secret store and populate a folder
`/secrets/foo` with a `dbpass` file containing "verysecret".

If on starting a funko we always do a bind mount of `/secrets/foo` to `/secrets`
then it will always have its secrets in place.

## Problem 2: how can the proxy know the secrets without keeping them in the image

They can't be shipped via the image, so they need to be injected via the admin API.

Let's give it a /secret endpoint and have all the usual REST stuff there.

## The Good

* It should work
* No secrets are unencrypted at rest in images

## The Bad

* Secrets are unencrypted at rest in the server filesystem
* Secrets are only sort-of-persistent? If the proxy is restarted, it will need
  the secrets reinjected, or we need a persistent secret store in the server filesystem.
secrets ideas 2024-07-01 12:48:29 +00:00			`# Ideas about secret management`

			`It's a bad idea to store secrets in a docker image.`

			`However, code running in docker containers like a funko does often needs`
			`access to secrets, such as passwords to databases. Let's use that as the`
			`example secret for the rest of the document.`

Secrets REST API 2024-07-01 13:16:48 +00:00			`Also, not all funkos should have access to all the secrets, and the`
secrets ideas 2024-07-01 12:48:29 +00:00			`"need to know" should be declarative in the funko's metadata.`

Secrets REST API 2024-07-01 13:16:48 +00:00			`## Problem 1: accessing secrets in the proxy container from the funkos`
secrets ideas 2024-07-01 12:48:29 +00:00
			`Let's further assume that faaso-proxy has access somehow to all the secrets,`
			`identified by a name. So there is a "dbpass" secret that has "verysecret" as`
			`it's very secret content.`

			`Also let's assume the proxy has access to a folder in the server filesystem,`
			`/secrets` via something like a bind mount.

Secrets REST API 2024-07-01 13:16:48 +00:00			`If the proxy has access to the funko metadata, it can access a declaration of`
			`what secrets the funko needs.`

			`Alternatively ... convention!`

			`Secrets for the funko foo are called foo-{name}, so our example is called foo-dbpass.`

			`So, the proxy can periodically examine its secret store and populate a folder`
			`/secrets/foo` with a `dbpass` file containing "verysecret".

			If on starting a funko we always do a bind mount of `/secrets/foo` to `/secrets`
			`then it will always have its secrets in place.`

Lint 2024-07-09 01:02:47 +00:00			`## Problem 2: how can the proxy know the secrets without keeping them in the image`
Secrets REST API 2024-07-01 13:16:48 +00:00
			`They can't be shipped via the image, so they need to be injected via the admin API.`

			`Let's give it a /secret endpoint and have all the usual REST stuff there.`

			`## The Good`

			`* It should work`
			`* No secrets are unencrypted at rest in images`

			`## The Bad`

			`* Secrets are unencrypted at rest in the server filesystem`
			`* Secrets are only sort-of-persistent? If the proxy is restarted, it will need`
			`the secrets reinjected, or we need a persistent secret store in the server filesystem.`