Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

be able to use secrets for credentials #87

Merged
merged 1 commit into from
Jan 12, 2017
Merged

be able to use secrets for credentials #87

merged 1 commit into from
Jan 12, 2017

Conversation

jmazzitelli
Copy link
Contributor

A PoC that allows endpoint credentials to refer to a OS secret.

@pilhuhn
Copy link
Member

pilhuhn commented Jan 11, 2017

This works for me. I have a secret like this:
echo -n "test4hawkular" | base64 # create the password
and then

$ less ~/hosa-secret.yml
apiVersion: v1
kind: Secret
metadata:
  name: hosa-secret
type: Opaque
data:
  password: dGVzdDRoYXdrdWxhcg==

This is referenced in the java-exec container's ENV

 containers:
        - env:
          - name: AB_JOLOKIA_PASSWORD_RANDOM
            value: "false"
          - name: AB_JOLOKIA_PASSWORD
            valueFrom:
              secretKeyRef:
                name: hosa-secret
                key: password

and also in the config-map for the agent:

      credentials:
        username: jolokia
        password: secret:hosa-secret/password

@jmazzitelli
Copy link
Contributor Author

I just changed this so it creates our own clusterrole that just gives "get/secrets" permission. It gets assigned to our service account. I tested it and it works.

@jmazzitelli jmazzitelli force-pushed the use-secrets branch 2 times, most recently from 99cb1fe to 2439545 Compare January 11, 2017 21:57
@jmazzitelli
Copy link
Contributor Author

I took out the granting of the full cluster-reader role. We do not need the vast majority of the permissions cluster-reader provides. So, instead, I create much more limited cluster role and assign only that role to the agent. I tested it and it looks to be working. See the deploy/openshift/hawkular-openshift-agent.yaml for the ClusterRole that is created.

@jmazzitelli
Be able to use secrets for credentials.
4d53bd8 
Rather that give the agent full cluster-reader role, this creates a cluster role and assigns it to the agent
which ends up only giving the agent what it needs and no more.
jmazzitelli
jmazzitelli commented Jan 12, 2017
View reviewed changes
Makefile

openshift-undeploy:
@echo Undeploying the Agent from OpenShift
oc delete all,secrets,sa,templates,configmaps,daemonsets --selector=metrics-infra=agent -n openshift-infra
oc delete all,secrets,sa,templates,configmaps,daemonsets,clusterroles --selector=metrics-infra=agent -n openshift-infra
oc delete clusterroles hawkular-openshift-agent
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line that deletes the cluster role can be deleted once this is fixed: openshift/origin#12450
There is already a PR that fixes it, just wait for it to be merged: openshift/origin#12461

@jmazzitelli jmazzitelli merged commit 0b007e9 into hawkular:master Jan 12, 2017
@jmazzitelli jmazzitelli deleted the use-secrets branch January 12, 2017 16:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jmazzitelli @pilhuhn