[Ansible-service-broker] Broker secrets
Fabian von Feilitzsch
fabian at redhat.com
Tue Sep 5 15:41:18 UTC 2017
My PR allowing you to use secrets to pass sensitive parameters into APBs
was just merged.
The PR was motivated by our work on Amazon APBs, where we have highly
sensitive credentials, as well as cluster-specific configuration that the
user shouldn't have to deal with.
Our solution, at least until the OpenServiceBroker API supports secret
passing between the catalog and broker, is to have a project administrator
create a secret in the namespace of the broker, and update the broker
configuration to associate that secret with a specific APB.
On the next catalog request to the broker, any parameters provided by that
secret should be filtered from the spec, so the user will not be prompted
for them. Any APB that has associated secrets will run in the namespace of
the broker and with the secrets mounted. The APB base image has been
updated to handle parsing those mounted secrets into a format consumable by
ansible, as well as to disable ansible logging to prevent the credentials
from showing up in plain text.
I also included a python script (scripts/create_broker_secret.py in the
ansible-service-broker project) that should make interacting with the
secret changes pretty simple. It will allow you to specify a secret name,
namespace of the broker, and image you'd like to associate, as well as a
series of key=value pairs or yaml formatted files, and it will create the
corresponding secret, update the broker configuration, and rollout a new
broker if necessary.
As an unexpected side-benefit, I've actually found this change very useful
for testing, because I was able to specify parameters in the secret and
never had to enter them again. I mostly tested with the
rhscl-postgresql-apb, using the following secret:
./scripts/create_broker_secret.py test ansible-service-broker
docker.io/fabianvf/rhscl-postgresql-apb postgresql_user=admin
postgresql_password=changeme postgresql_version="9.5"
It really did speed up my testing cycles a lot.
Full usage output for the script:
❯❯❯ ./scripts/create_broker_secret.py --help
USAGE:
./scripts/create_broker_secret.py NAME NAMESPACE IMAGE [KEY=VALUE]* [@FILE]*
NAME: the name of the secret to create/replace
NAMESPACE: the target namespace of the secret. It should be the
namespace of the broker for most usecases
IMAGE: the docker image you would like to associate with the secret
KEY: a key to create inside the secret. This cannot contain an "=" sign
VALUE: the value for the KEY in the secret
FILE: a yaml loadable file containing key: value pairs. A file
must begin with an "@" symbol to be loaded
EXAMPLE:
./scripts/create_broker_secret.py mysecret ansible-service-broker
docker.io/ansibleplaybookbundle/hello-world-apb key1=hello key2=world
@additional_parameters.yml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/ansible-service-broker/attachments/20170905/038a7c35/attachment.htm>
More information about the Ansible-service-broker
mailing list