secrets ideas
This commit is contained in:
parent
18f35db164
commit
ae328f465c
@ -21,4 +21,7 @@ COPY runtimes/* ./runtimes/
|
|||||||
COPY tinyproxy.conf ./
|
COPY tinyproxy.conf ./
|
||||||
COPY --from=build /home/app/bin/faaso-daemon /home/app/bin/faaso /usr/bin/
|
COPY --from=build /home/app/bin/faaso-daemon /home/app/bin/faaso /usr/bin/
|
||||||
|
|
||||||
|
RUN mkdir /secrets
|
||||||
|
RUN echo "sarasa" > /secrets/sarlanga
|
||||||
|
|
||||||
CMD ["/usr/bin/multirun", "faaso-daemon", "tinyproxy -d -c tinyproxy.conf"]
|
CMD ["/usr/bin/multirun", "faaso-daemon", "tinyproxy -d -c tinyproxy.conf"]
|
21
docs/secrets.md
Normal file
21
docs/secrets.md
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
# Ideas about secret management
|
||||||
|
|
||||||
|
It's a bad idea to store secrets in a docker image.
|
||||||
|
|
||||||
|
However, code running in docker containers like a funko does often needs
|
||||||
|
access to secrets, such as passwords to databases. Let's use that as the
|
||||||
|
example secret for the rest of the document.
|
||||||
|
|
||||||
|
Also, not all funkos should have access to all the secrets, and the
|
||||||
|
"need to know" should be declarative in the funko's metadata.
|
||||||
|
|
||||||
|
## Problem 1: accessing secrets in the proxy container from the funkos
|
||||||
|
|
||||||
|
Let's further assume that faaso-proxy has access *somehow* to all the secrets,
|
||||||
|
identified by a name. So there is a "dbpass" secret that has "verysecret" as
|
||||||
|
it's very secret content.
|
||||||
|
|
||||||
|
Also let's assume the proxy has access to a folder in the server filesystem,
|
||||||
|
`/secrets` via something like a bind mount.
|
||||||
|
|
||||||
|
## Problem 2: how can the proxy know the secrets without keeping them in the image?
|
Loading…
Reference in New Issue
Block a user