[Hawkular-dev] hosa using secrets for endpoint credentials
John Mazzitelli
mazz at redhat.com
Wed Jan 11 08:54:49 EST 2017
> We also use secrets on Hawkular APM, and I don't remember having to
> create specific cluster roles. I believe that, as long as the secret
> lives in the same "application" as the consumer of the secret, there's
> no need for an extra role.
That's exactly the issue. The agent is in charge of monitoring the node - so it can cross all the projects - a pod to be monitored may not even be in the same project (aka namespace) as the agent.
----- Original Message -----
> On 01/11/2017 01:41 AM, John Mazzitelli wrote:
> > There is one problem with this. I need to add a cluster role to the agent
> > to read secrets (I need verb "get" on resource "secrets" - for testing, I
> > am using the "system:node" role since that is one of the few that has that
> > permission - we'd really want a cluster role that only has "get"/"secrets"
> > - we don't need all the perms that "system:node" provides - we'd have to
> > create our role if need be).
>
> We also use secrets on Hawkular APM, and I don't remember having to
> create specific cluster roles. I believe that, as long as the secret
> lives in the same "application" as the consumer of the secret, there's
> no need for an extra role.
>
> I'm not sure the way we are doing can be also done for the HOSA, but
> here's an overview on how we use secrets for APM:
>
> We create the secret, and the values here should be base64 encoded:
> https://github.com/jboss-dockerfiles/hawkular-apm/blob/master/openshift-templates/hawkular-apm-server-deployment.yml#L6-L13
>
> We specify that we want this secret to be a volume:
> https://github.com/jboss-dockerfiles/hawkular-apm/blob/master/openshift-templates/hawkular-apm-server-deployment.yml#L76-L79
>
> And we mount this volume into the container:
> https://github.com/jboss-dockerfiles/hawkular-apm/blob/master/openshift-templates/hawkular-apm-server-deployment.yml#L51-L54
>
> We have a standalone-wrapper.sh, which then tries to find the admin's
> username and password the server should create. One of the possibilities
> is reading the client secret values:
> https://github.com/jboss-dockerfiles/hawkular-apm/blob/master/hawkular-apm-server/standalone-wrapper.sh#L16-L26
>
> - Juca.
> _______________________________________________
> hawkular-dev mailing list
> hawkular-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hawkular-dev
>
More information about the hawkular-dev
mailing list