You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@karaf.apache.org by Mike Hummel <mh...@mhus.de> on 2020/06/04 15:59:44 UTC
Re: Using Docker Secrets in Karaf Configuration
Hi,
I like the idea too ...
It should be possible to set a default value. Like always :)
Regards,
Mike
> On 27. May 2020, at 16:13, Alex Soto <al...@envieta.com> wrote:
>
> Thanks, JB, here it is:
>
>
> https://issues.apache.org/jira/browse/KARAF-6733 <https://issues.apache.org/jira/browse/KARAF-6733>
>
> Best regards,
> Alex soto
>
>
>
>
>> On May 27, 2020, at 12:16 AM, Jean-Baptiste Onofre <jb@nanthrax.net <ma...@nanthrax.net>> wrote:
>>
>> Hi Alex,
>>
>> That’s a good idea about file.
>>
>> Can you please create a Jira about that ?
>>
>> Regards
>> JB
>>
>>> Le 26 mai 2020 à 19:57, Alex Soto <alex.soto@envieta.com <ma...@envieta.com>> a écrit :
>>>
>>> Thank you Mike,
>>>
>>> Still finding this too complex and less secure solution to an arguably common problem (at least when using Docker). Currently, I can have the following in a configuration file:
>>>
>>> org.ops4j.pax.web.ssl.password=${env:MYPASSWORD}
>>>
>>> And, as the documentation states:
>>>
>>>> Environment variables can be referenced inside configuration files using the syntax ${env:<name>} (e.g. property=${env:FOO} will set "property" to the value of the enviroment variable "FOO").
>>>
>>> Karaf will use the value from the environment variable; however, with this approach, the secret is replicated/copied in two places, 1) the default location '/run/secrets/‘ put there by Docker engine, and in the environment variable.
>>>
>>> I suppose one can think of simpler Karaf mechanism to inject values from files in config files. For example,
>>>
>>> org.ops4j.pax.web.ssl.password=${file:/run/secrets/mypassword}
>>>
>>> So, when Karaf’s see the prefix $file: it will get the content of the file and use it as the value of the configuration key.
>>> This way, 1) I don’t have to write a complex script to copy the secret into the environment variable and 2) the secret is only in one place.
>>>
>>> Best regards,
>>> Alex soto
>>>
>>>
>>>
>>>
>>>> On May 24, 2020, at 7:27 AM, Mike Hummel <mh@mhus.de <ma...@mhus.de>> wrote:
>>>>
>>>> Hi Alex,
>>>>
>>>> I understand that you should not use the '-e' flags for secrets. A common way is to define the secret file with an environment flag and load it. And in this way you can sopport both. Environment and secrets.
>>>>
>>>> A nice sample is https://github.com/docker-library/wordpress/blob/master/docker-entrypoint.sh <https://github.com/docker-library/wordpress/blob/master/docker-entrypoint.sh>
>>>>
>>>> Regards,
>>>>
>>>> Mike
>>>>
>>>>
>>>>> On 19. May 2020, at 18:22, Alex Soto <alex.soto@envieta.com <ma...@envieta.com>> wrote:
>>>>>
>>>>> Thanks Mike,
>>>>>
>>>>> Yes, that would work, but wasn’t the secret mechanism added precisely to avoid the unsafe environment variables?
>>>>>
>>>>>
>>>>> Best regards,
>>>>> Alex soto
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> On May 18, 2020, at 2:57 PM, Mike Hummel <mh@mhus.de <ma...@mhus.de>> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> store your secrets as bash script with
>>>>>>
>>>>>> key=value
>>>>>>
>>>>>> and include the secret in your start script
>>>>>>
>>>>>> . /run/secrets/credentials.sh
>>>>>>
>>>>>> Now the secrets are available as shell environment.
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Mike
>>>>>>
>>>>>>
>>>>>>> On 5. May 2020, at 22:16, Alex Soto <alex.soto@envieta.com <ma...@envieta.com>> wrote:
>>>>>>>
>>>>>>> I found using Docker Secrets a convenient a way to protect passwords when running Docker containers. I know I can reference an environment variables in Karaf's config files, but that is not very secure, or at least less secure than secrets. For example, to configure a key store in the Pax Web config file: org.ops4j.pax.web.cfg one would need to provide a value for key org.ops4j.pax.web.ssl.password. The problem is how to reference a secret, which is a file, as the value of this property? In other words, I am looking for something like:
>>>>>>>
>>>>>>> org.ops4j.pax.web.ssl.password=$(cat /run/secrets/keystorepass)
>>>>>>>
>>>>>>> Is there anything similar or planned?
>>>>>>>
>>>>>>> (Same would be useful to configure the JAAS users in users.properties, etc.)
>>>>>>>
>>>>>>> Best regards,
>>>>>>> Alex soto
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>