Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Be able to mount secrets from Vault #2277

Open
Tracked by #2742
aronchick opened this issue Apr 1, 2023 · 1 comment
Open
Tracked by #2742

Be able to mount secrets from Vault #2277

aronchick opened this issue Apr 1, 2023 · 1 comment
Labels
th/private-data Theme: Access and operate on private data securely

Comments

@aronchick
Copy link
Collaborator

We need a way for a Bac job to be able to mount in secrets from vault. There could be a few approaches here:

  • Having secrets/tokens distributed in Bacalhau (a la k8s secrets)
  • Having credentials on the node to pull in from vault
  • Having external web call available to get bearer token for vault
  • Other?
@rossjones rossjones added the th/private-data Theme: Access and operate on private data securely label Aug 4, 2023
@rossjones rossjones mentioned this issue Aug 4, 2023
Closed
@wdbaruni wdbaruni moved this from Inbox to Backlog in Engineering Planning Jul 1, 2024
@wdbaruni wdbaruni mentioned this issue Oct 13, 2024
Closed
@aronchick
Copy link
Collaborator Author

Some additional user experience look at this:

So, here's an example job:

Job:
  APIVersion: V1beta2
  Spec:
    Deal:
      Concurrency: 1
      TargetingMode: true
    EngineSpec:
      Params:
        EnvironmentVariables:
          - INPUTFILE=/var/log/logs_to_process/aperitivo_logs.log.1
          - QUERY=SELECT * FROM log_data WHERE message LIKE '%[SECURITY]%' ORDER BY '@timestamp'
        Image: [docker.io/bacalhauproject/motherduck-log-processor:1.1.6](http://docker.io/bacalhauproject/motherduck-log-processor:1.1.6)
        WorkingDirectory: ""
      Type: docker
    Resources:
      GPU: ""
      Memory: 4gb
    Network:
      Type: Full
    Inputs:
      - Name: file:///var/log/logs_to_process
        SourcePath: /var/log/logs_to_process
        StorageSource: LocalDirectory
        path: /var/log/logs_to_process
      - Name: file:///db/
        SourcePath: /db
        StorageSource: LocalDirectory
        path: /db

Now imagine in there there's a field "SecretManager":

    Secrets:
      - Manager: dmno-vault
        Items:
          SECRET_ONE
          SECRET_TWO

This comes from an object created elsewhere

SecretsManager:
Name: dmno-vault 
      URL: https://dmno.io
      TokenName: dmno-reader-token

And we further had a separate command:

bacalhau create service-account secret-reader
bacalhau set secret-token --vault-name dmno-vault --name "dmno-reader-token" --value "m7PZBJKJuYR3kGGrDvIqJp5aDjvtVABGEDMtlSzkdZ7fTXv6dAsFlWvjzTdMzP0G"

With this construction, when the bacalhau job runs, it reads from your vault inline, and mounts these as environment variables in the environment in which the process runs.

cc @wdbaruni for some additional thinking.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
th/private-data Theme: Access and operate on private data securely
Projects
Engineering Planning
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aronchick @rossjones