[Hawkular-dev] hosa using secrets for endpoint credentials

Matt Wringe mwringe at redhat.com
Wed Jan 11 09:23:49 EST 2017 

----- Original Message -----
> From: "John Mazzitelli" <mazz at redhat.com>
> To: "Discussions around Hawkular development" <hawkular-dev at lists.jboss.org>
> Sent: Wednesday, 11 January, 2017 8:54:49 AM
> Subject: Re: [Hawkular-dev] hosa using secrets for endpoint credentials
> 
> > We also use secrets on Hawkular APM, and I don't remember having to
> > create specific cluster roles. I believe that, as long as the secret
> > lives in the same "application" as the consumer of the secret, there's
> > no need for an extra role.
> 
> That's exactly the issue. The agent is in charge of monitoring the node - so
> it can cross all the projects - a pod to be monitored may not even be in the
> same project (aka namespace) as the agent.

If we can't get secrets with something like the cluster-reader permission, I don't know if we should be using it. Reading secrets starts to become tricky and it might not be something we can get approval for.

> ----- Original Message -----
> > On 01/11/2017 01:41 AM, John Mazzitelli wrote:
> > > There is one problem with this. I need to add a cluster role to the agent
> > > to read secrets (I need verb "get" on resource "secrets" - for testing, I
> > > am using the "system:node" role since that is one of the few that has
> > > that
> > > permission - we'd really want a cluster role that only has
> > > "get"/"secrets"
> > > - we don't need all the perms that "system:node" provides - we'd have to
> > > create our role if need be).
> > 
> > We also use secrets on Hawkular APM, and I don't remember having to
> > create specific cluster roles. I believe that, as long as the secret
> > lives in the same "application" as the consumer of the secret, there's
> > no need for an extra role.
> > 
> > I'm not sure the way we are doing can be also done for the HOSA, but
> > here's an overview on how we use secrets for APM:
> > 
> > We create the secret, and the values here should be base64 encoded:
> > https://github.com/jboss-dockerfiles/hawkular-apm/blob/master/openshift-templates/hawkular-apm-server-deployment.yml#L6-L13
> > 
> > We specify that we want this secret to be a volume:
> > https://github.com/jboss-dockerfiles/hawkular-apm/blob/master/openshift-templates/hawkular-apm-server-deployment.yml#L76-L79
> > 
> > And we mount this volume into the container:
> > https://github.com/jboss-dockerfiles/hawkular-apm/blob/master/openshift-templates/hawkular-apm-server-deployment.yml#L51-L54
> > 
> > We have a standalone-wrapper.sh, which then tries to find the admin's
> > username and password the server should create. One of the possibilities
> > is reading the client secret values:
> > https://github.com/jboss-dockerfiles/hawkular-apm/blob/master/hawkular-apm-server/standalone-wrapper.sh#L16-L26
> > 
> > - Juca.
> > _______________________________________________
> > hawkular-dev mailing list
> > hawkular-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/hawkular-dev
> > 
> _______________________________________________
> hawkular-dev mailing list
> hawkular-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hawkular-dev
>

More information about the hawkular-dev mailing list