2024-07-08 22:02:47 -03:00

1.8 KiB

Ideas about secret management

It's a bad idea to store secrets in a docker image.

However, code running in docker containers like a funko does often needs access to secrets, such as passwords to databases. Let's use that as the example secret for the rest of the document.

Also, not all funkos should have access to all the secrets, and the "need to know" should be declarative in the funko's metadata.

Problem 1: accessing secrets in the proxy container from the funkos

Let's further assume that faaso-proxy has access somehow to all the secrets, identified by a name. So there is a "dbpass" secret that has "verysecret" as it's very secret content.

Also let's assume the proxy has access to a folder in the server filesystem, /secrets via something like a bind mount.

If the proxy has access to the funko metadata, it can access a declaration of what secrets the funko needs.

Alternatively ... convention!

Secrets for the funko foo are called foo-{name}, so our example is called foo-dbpass.

So, the proxy can periodically examine its secret store and populate a folder /secrets/foo with a dbpass file containing "verysecret".

If on starting a funko we always do a bind mount of /secrets/foo to /secrets then it will always have its secrets in place.

Problem 2: how can the proxy know the secrets without keeping them in the image

They can't be shipped via the image, so they need to be injected via the admin API.

Let's give it a /secret endpoint and have all the usual REST stuff there.

The Good

  • It should work
  • No secrets are unencrypted at rest in images

The Bad

  • Secrets are unencrypted at rest in the server filesystem
  • Secrets are only sort-of-persistent? If the proxy is restarted, it will need the secrets reinjected, or we need a persistent secret store in the server filesystem.