secrets ideas

This commit is contained in:
Roberto Alsina 2024-07-01 09:48:29 -03:00
parent 18f35db164
commit ae328f465c
2 changed files with 24 additions and 0 deletions

View File

@ -21,4 +21,7 @@ COPY runtimes/* ./runtimes/
COPY tinyproxy.conf ./ COPY tinyproxy.conf ./
COPY --from=build /home/app/bin/faaso-daemon /home/app/bin/faaso /usr/bin/ COPY --from=build /home/app/bin/faaso-daemon /home/app/bin/faaso /usr/bin/
RUN mkdir /secrets
RUN echo "sarasa" > /secrets/sarlanga
CMD ["/usr/bin/multirun", "faaso-daemon", "tinyproxy -d -c tinyproxy.conf"] CMD ["/usr/bin/multirun", "faaso-daemon", "tinyproxy -d -c tinyproxy.conf"]

21
docs/secrets.md Normal file
View File

@ -0,0 +1,21 @@
# Ideas about secret management
It's a bad idea to store secrets in a docker image.
However, code running in docker containers like a funko does often needs
access to secrets, such as passwords to databases. Let's use that as the
example secret for the rest of the document.
Also, not all funkos should have access to all the secrets, and the
"need to know" should be declarative in the funko's metadata.
## Problem 1: accessing secrets in the proxy container from the funkos
Let's further assume that faaso-proxy has access *somehow* to all the secrets,
identified by a name. So there is a "dbpass" secret that has "verysecret" as
it's very secret content.
Also let's assume the proxy has access to a folder in the server filesystem,
`/secrets` via something like a bind mount.
## Problem 2: how can the proxy know the secrets without keeping them in the image?