在线阅读 Redhat OpenShift 内部的秘密?
Read secrets inside of Redhat OpenShift online?
我得到了一个 Redhat OpenShift 在线启动器 vps,用于托管我的 discord 机器人。我已经将它上传到 github,减去我的 discord 令牌和其他 API 密钥,当然 :^)
如何让 OpenShift 使用存储和读取客户端机密?
如果有帮助,我正在使用 nodejs8 框架。
秘密在源版本控制托管服务中没有立足之地,例如 GitHub。
关于 OpenShift,它包括 Secrets,一个编码的 64 配置映射,您可以在其中注入机密信息。
但长期机密信息存储(将注入 OpenShift 秘密)应该存储在适当的 Vault 中。
比如 Hashicorp Vault, as described by the article "Managing Secrets on OpenShift – Vault Integration
其余部分描述了该解决方案,但即使您不使用该特定主机,总体思路(外部保险库类型存储)仍然存在:
- An Init Container (run before the main container of a pod is started) requests a wrapped token from the Vault Controller over an encrypted connection.
Wrapped credentials allow you to pass credentials around without any of the intermediaries having to actually see the credentials.
- The Vault Controller retrieves the pod details from the Kubernetes API server.
- If the pod exists and contains the vaultproject.io/policies annotation, the Vault Controller calls Vault and generates a unique wrapped token with access to the Vault policies mentioned in the annotation. This step requires trust on pod author to have used to right policies. The generated token has a configurable TTL.
- The Vault Controller “calls back” the Init Container using the pod IP obtained from the Kubernetes API over an encrypted connection and delivers it the newly created wrapped token. Notice that the Vault Controller does not trust the pod, it only trusts the master API.
- The Init Container unwraps the token to obtain a the Vault token that will allow access to the credentials.
- The Vault token is written to a well-known location in a volume shared between the two containers (emptyDir) and the Init Container exits.
- The main container reads the token from the token file. Now the main container can use the token to retrieve all the secrets allowed by the policies considered when the token was created.
- If needed, the main container renews the token to keep it from expiring.
我得到了一个 Redhat OpenShift 在线启动器 vps,用于托管我的 discord 机器人。我已经将它上传到 github,减去我的 discord 令牌和其他 API 密钥,当然 :^)
如何让 OpenShift 使用存储和读取客户端机密? 如果有帮助,我正在使用 nodejs8 框架。
秘密在源版本控制托管服务中没有立足之地,例如 GitHub。
关于 OpenShift,它包括 Secrets,一个编码的 64 配置映射,您可以在其中注入机密信息。
但长期机密信息存储(将注入 OpenShift 秘密)应该存储在适当的 Vault 中。
比如 Hashicorp Vault, as described by the article "Managing Secrets on OpenShift – Vault Integration
其余部分描述了该解决方案,但即使您不使用该特定主机,总体思路(外部保险库类型存储)仍然存在:
- An Init Container (run before the main container of a pod is started) requests a wrapped token from the Vault Controller over an encrypted connection.
Wrapped credentials allow you to pass credentials around without any of the intermediaries having to actually see the credentials.- The Vault Controller retrieves the pod details from the Kubernetes API server.
- If the pod exists and contains the vaultproject.io/policies annotation, the Vault Controller calls Vault and generates a unique wrapped token with access to the Vault policies mentioned in the annotation. This step requires trust on pod author to have used to right policies. The generated token has a configurable TTL.
- The Vault Controller “calls back” the Init Container using the pod IP obtained from the Kubernetes API over an encrypted connection and delivers it the newly created wrapped token. Notice that the Vault Controller does not trust the pod, it only trusts the master API.
- The Init Container unwraps the token to obtain a the Vault token that will allow access to the credentials.
- The Vault token is written to a well-known location in a volume shared between the two containers (emptyDir) and the Init Container exits.
- The main container reads the token from the token file. Now the main container can use the token to retrieve all the secrets allowed by the policies considered when the token was created.
- If needed, the main container renews the token to keep it from expiring.