New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement /system/secrets and use Nomad's configured Vault API #69

Closed
acornies opened this Issue Jan 24, 2019 · 7 comments

Comments

Projects
None yet
3 participants
@acornies
Copy link
Collaborator

acornies commented Jan 24, 2019

What are the steps to reproduce this issue?

  1. download latest faas-cli ()
  2. download latest gateway >= 0.9.14
  3. try out faas-cli ~= 0.8.3 using faas-cli secret ...

What happens?

The secret endpoints are not yet supported.

Any other comments?

Adding this for tracking. The approach so far is to implement against Vault's API using the already-established convention of the default Vault policy and key prefix from faas-nomad.

@alexellis

This comment has been minimized.

Copy link
Contributor

alexellis commented Jan 24, 2019

I didn't realize this wasn't implemented yet. I mentioned Nomad being available in the blog post, but given that this provider has fewer users this may be something that goes unnoticed in the interim.

https://www.openfaas.com/blog/unified-secrets/

@acornies

This comment has been minimized.

Copy link
Collaborator Author

acornies commented Jan 24, 2019

Working on it...

@nicholasjackson

This comment has been minimized.

Copy link
Collaborator

nicholasjackson commented Jan 24, 2019

Just taking a look at this, need to think about the security round vault, theoretically the access to Vault through the CLI is weaker than the vault auth. Just need to think about the security and how the policy would be implemented.

@acornies

This comment has been minimized.

Copy link
Collaborator Author

acornies commented Jan 24, 2019

@nicholasjackson My implementation thus far uses the Nomad agent self config, which contains the Vault info. Ultimately faas-nomad needs a management style Nomad ACL token, which will provide the Vault token that's configured on the Nomad agent. It's very much tied to the permissions the Nomad agent has. (token seems to be redacted)

@acornies

This comment has been minimized.

Copy link
Collaborator Author

acornies commented Jan 24, 2019

Actually, the only way to do this properly is to have an "openfaas" Vault policy (already required with secrets) and an AppRole token tied to that policy which is provided to faas-nomad. That way, the faas-cli can only manage secrets defined in the policy. The vault service and other config is discovered via agent/self etc.

This requires some Vault management up front, but I don't see a way around that. Suggestions?

@acornies

This comment has been minimized.

Copy link
Collaborator Author

acornies commented Jan 25, 2019

I'd appreciate some feedback here: acornies@57bd520 when you get a chance. I'll keep going down this road unless I hear otherwise.

@acornies

This comment has been minimized.

Copy link
Collaborator Author

acornies commented Feb 11, 2019

Addressed in #70 using Vault approle and secrets v1.

@acornies acornies closed this Feb 11, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment