Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inject secrets into parameters too #878

Closed
carolynvs opened this issue Feb 5, 2020 · 4 comments
Closed

Inject secrets into parameters too #878

carolynvs opened this issue Feb 5, 2020 · 4 comments
Assignees
@vdice
Labels
design 🚲🏠 Bust out your paint chips, it's time to bikeshed. enhancement New code incoming! hmm 🛑🤔 Needs more thinking time. Don't start on it yet, please.
Milestone
Plugins

Comments

@carolynvs
Copy link
Member

The secrets plugin lets you inject values from external sources, such as key vault, into a credential. I want to be able to keep my secrets safe in my vault and inject them into parameters as well, since CNAB says boring stuff (non-identity) such as database passwords should be parameters and not credentials. KEEP ALL THE THINGS SAFE PLZ! 🙇‍♀
@carolynvs carolynvs added the enhancement New code incoming! label Feb 5, 2020
@carolynvs carolynvs added this to the Plugins milestone Feb 5, 2020
@carolynvs carolynvs added this to Inbox in Porter and Mixins [OLD] via automation Feb 5, 2020
@carolynvs carolynvs moved this from Inbox to Backlog in Porter and Mixins [OLD] Feb 10, 2020
@dev-drprasad
Copy link
Contributor

I would like to help with this issue.

@dev-drprasad dev-drprasad self-assigned this Feb 14, 2020
@carolynvs carolynvs added hmm 🛑🤔 Needs more thinking time. Don't start on it yet, please. design 🚲🏠 Bust out your paint chips, it's time to bikeshed. labels Feb 14, 2020
@carolynvs
Copy link
Member Author

Great! I could use some help thinking about the design of this feature. We aren't quite ready to start coding yet.

For some background, in the CNAB spec, there is a distinction between parameters and credentials. Credentials are intended not for sensitive information but for information related to the identity of the person executing the bundle. For example your credentials for aws. Anything else should be a parameter, like the application’s password to connect to mysql. Even though that really should be protected carefully too! 😄

The CNAB spec has the runtime and the tools (like porter) treat credentials and parameters very differently because of this distinction:

  • credentials, when they are files, can be mounted into the docker image
  • credentials are not persisted with the claim
  • the cli collects them differently (credentials through credential sets, parameters through --param NAME=VALUE)

With plugins, Porter supports having credential sets resolve their value against a secret store in the cloud (or anywhere really). This is more secure. But how do we do the same thing for parameters: 🤔

We can change how we pass in parameters, it doesn’t have to be a flag, or we can change how the flag works or add a new flag, etc. Essentially we need a way for the user to say, "Here is how to get the value for this parameter from a secret store" i.e. this is the key to use when looking it up.

All of the configuration of the secret store is already taken care of from the plugins work, so you don’t need to worry about that.

SO! 😅 If you would like to think about the design of that, and what the user experience (UX) would be, that is the real work for this story.

@dev-drprasad
Copy link
Contributor

Let me think about the design. I will un-assign myself so that other people can engage on this issue.

@dev-drprasad dev-drprasad removed their assignment Feb 14, 2020
@carolynvs carolynvs moved this from Backlog to In Progress in Porter and Mixins [OLD] May 11, 2020
@vdice vdice mentioned this issue May 19, 2020
Closed
@vdice
Copy link
Member

vdice commented Jun 22, 2020
edited
Loading

This functionality is now in place. The ability to declare parameter(s) with secret sources was added with #1053 and the azure plugin already has the logic to resolve secrets from its supported backend (Azure Keyvault). 🎉

@vdice vdice closed this as completed Jun 22, 2020
Porter and Mixins [OLD] automation moved this from In Progress to Done Jun 22, 2020
@vdice vdice removed this from Done in Porter and Mixins [OLD] Sep 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vdice vdice

Labels
design 🚲🏠 Bust out your paint chips, it's time to bikeshed. enhancement New code incoming! hmm 🛑🤔 Needs more thinking time. Don't start on it yet, please.
Projects
None yet
Milestone
Plugins
Development

No branches or pull requests
3 participants
@carolynvs @vdice @dev-drprasad