Should use a secret for sensitive brigade-github-app configuration #48

krancour · 2019-10-31T15:01:38Z

Currently, the brigade-github-app chart creates a config map that includes a sensitive key.pem field. The deployment mounts this config map to /etc/brigade-github-app and, in turn, the containerized brigade-github-app process in each pod consumes /etc/brigade-github-app/key.pem.

Since the contents of key.pem are sensitive, it would be more proper and more safe to store this in a secret.

This can be accomplished pretty easily with changes to the chart and no changes to the brigade-github-app software itself.

This is not a breaking change:

Eliminate the brigade-github-app config map (since key.pem) is its only field anyway.
Add key.pem field to the existing brigade-github-app secret.
In the deployment, mount the brigade-github-app secret to /etc/brigade-github-app in place of the brigade-github-app config map.

The text was updated successfully, but these errors were encountered:

krancour added the bug Something isn't working label Oct 31, 2019

krancour self-assigned this Oct 31, 2019

krancour mentioned this issue Oct 31, 2019

[brigade-github-app]: keep key.pem in a secret #49

Merged

krancour closed this as completed in #49 Nov 1, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Should use a secret for sensitive brigade-github-app configuration #48

Should use a secret for sensitive brigade-github-app configuration #48

krancour commented Oct 31, 2019

Should use a secret for sensitive brigade-github-app configuration #48

Should use a secret for sensitive brigade-github-app configuration #48

Comments

krancour commented Oct 31, 2019