funktion icon indicating copy to clipboard operation
funktion copied to clipboard

Published 20 hours ago verified publisher icon funktionio

should we use a Secret for the application.properties?

Open jstrachan opened this issue 8 years ago • 6 comments

The connector configuration frequently contains username, passwords, tokens and secrets. e.g. for the twitter component all the component properties should be secret

One day we may want to split the configuration between 2 resources; a ConfigMap and a Secret; with secret stuff only going into the Secret.

However for now - maybe just using a Secret instead of a ConfigMap for the connector configuration is simplest? It then makes sure the configuration is all secret?

jstrachan avatar Dec 20 '16 10:12 jstrachan

I would argue that the citizen developer would need access to the config, but may not need/have access to secret stuff, so it may make sense to split this up now rather then later. So my vote would be to make the split between Secret and ConfigMap now.

my 2 cents

--K

On Tue, Dec 20, 2016 at 5:37 AM, James Strachan [email protected] wrote:

The connector configuration frequently contains username, passwords, tokens and secrets. e.g. for the twitter component all the component properties should be secret

One day we may want to split the configuration between 2 resources; a ConfigMap and a Secret; with secret stuff only going into the Secret.

However for now - maybe just using a Secret instead of a ConfigMap for the connector configuration is simplest? It then makes sure the configuration is all secret?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/fabric8io/funktion-operator/issues/6, or mute the thread https://github.com/notifications/unsubscribe-auth/AACK-En3hCRLrcDaBPgcT5JHBJSfVZJgks5rJ6_4gaJpZM4LRsRS .

-- Kurt T. Stam

twitter: @KurtStam google+: [email protected]

KurtStam avatar Dec 20 '16 12:12 KurtStam

If we don't have a way to mark which configuration keys are passwords, keys or aneything else that needs to be secret, then using Secrets instead of ConfigMap is oneway right?

I recall that a long time ago, there have been an request raised in Camel, to mask passwords, etc when presenting endpoint urls in logs, jmx etc. I don't know if it was ever implemented, but it might worth checking if it has and if we can extract that info from there.

iocanel avatar Jan 13 '17 07:01 iocanel

I think the next Camel version maintains the metadata of which properties are secret

jstrachan avatar Jan 13 '17 17:01 jstrachan

@KurtStam there may be properties that the citizen developer may need to populate that are secret (e.g. login / passwords to sales force or something)

jstrachan avatar Jan 13 '17 17:01 jstrachan

We have an open question whether openshift/kubernetes are secret enough... Do we need encryption at rest, etc.

jimmidyson avatar Jan 13 '17 17:01 jimmidyson

I was just browsing through documents and found this. We have lots of static and dynamic secrets. ( For example, OAuth token which is getting refreshed every few days by other application ).

Example would be, Funktion Camel flow starts -> acquires and uses token from Vault -> Make API call -> Stop

Is there possiblity to store all secrets in some sort of small HA KV database. Something like Hashicorp Vault. https://github.com/hashicorp/vault

markrey avatar Feb 24 '17 21:02 markrey