spec icon indicating copy to clipboard operation
spec copied to clipboard

Published 20 hours ago verified publisher icon score-spec

[FEATURE] secret support

Open garthy opened this issue 10 months ago • 2 comments

Detailed description

It would be nice if secrets were supported as a first class resource. They could be generated and stored then used to create/access the resource and be passed around securely as well as the platform supports and stop writing them to state/config files. eg:- docker-compose output snippit

    workload-one-example:
        command:
            - -c
            - while true; do echo $${CONNECTION}; sleep 5; done
        depends_on:
            wait-for-resources:
                condition: service_started
                required: false
        entrypoint:
            - /bin/sh
        environment:
            CONNECTION: redis://default:XfygjA6Kxtb6mfXZ@redis-FUxtcv:6379
        hostname: workload-one
        image: busybox

Context

secure deployment and configuration and stop secrets getting wrtitten into files and environments

Possible implementation

using docker(-compose) secrets/k8s secrets a secret could be created Then used to create and protect the resource And then used to access the resource.

Additional information

No response

garthy avatar Apr 26 '24 20:04 garthy

Thank you for your issue. Give us a little time to review it.

PS. You might want to check the FAQ if you haven't done so already.

This is an automated reply, generated by FAQtory

github-actions[bot] avatar Apr 26 '24 20:04 github-actions[bot]

@garthy thanks for filing the request.

Currently secret outputs from resources being injected into envvars and file mounts are handled by the Score implementations themselves.

Eg: score-k8s will expect the secret to be present in a Kubernetes Secret and then if this is used in an env var or file will use projected volumes or K8s-specific tools to securly mount the secret.

You can create a secret as an output from a resource in score-k8s like this: https://github.com/score-spec/score-k8s/blob/e675f961ad1bf1123bc6efb0a3d1ad17bd657c58/internal/provisioners/default/zz-default.provisioners.yaml#L141

We didn't do this in score-compose because the docker secrets require swarm mode.

It's a good question whether there is a generalisable way of doing this that we could pull into the spec itself. It may be tricky since different runtimes support different interpolations, mount strategies, content lengths, and structures so it may not be possible.

astromechza avatar May 29 '24 20:05 astromechza