[Hawkular-dev] hosa using secrets for endpoint credentials

John Mazzitelli mazz at redhat.com
Tue Jan 10 19:41:05 EST 2017 

Right now, the Hawkular OpenShift Agent (HOSA) can pass HTTP authentication headers to endpoints it is monitoring, but you have to declare the credentials in the pod's configmap's endpoints section:

endpoints:
- type: jolokia
  credentials:
    username: myuser
    password: mypass

We would like to figure a better way. One way Heiko mentioned was to see if we can use OpenShift's secrets right here in the credentials section.

So I created a PoC to see if and how it can work. I have it working here in my own branch:

https://github.com/jmazzitelli/hawkular-openshift-agent/tree/use-secrets

After building and deploying the agent in my OpenShift environment, I then created a secret (via the OS console) in my project where my jolokia pod lives - the secret is called "foo2" which has two keys defined: "password" and "username". I then tell the agent about this by passing in credentials as I describe above, but I prefix the values with "secret:" to tell the agent to expect the actual values to be found in the secret. The full syntax of the credentials values are "secret:<secret name>/<secret key>". So for example, I can have this in my configmap:

endpoints:
- type: jolokia
  credentials:
    username: secret:foo2/username
    password: secret:foo2/password

It can optionally use bearer tokens:

endpoints:
- type: jolokia
  credentials:
    token: secret:foo2/password

There is one problem with this. I need to add a cluster role to the agent to read secrets (I need verb "get" on resource "secrets" - for testing, I am using the "system:node" role since that is one of the few that has that permission - we'd really want a cluster role that only has "get"/"secrets" - we don't need all the perms that "system:node" provides - we'd have to create our role if need be).

But is this good? I do not know of any other way for the agent to be able to read secrets. Is it OK to require the agent to have "get" "secrets" permission? Is there another way to access secrets?

More information about the hawkular-dev mailing list