search

ONLYOFFICE / Kubernetes-Docs

ONLYOFFICE Docs for Kubernetes
https://onlyoffice.com
Apache License 2.0
41 stars 24 forks source link

Extraconf configmap contains secrets #315

Open kimkil94 opened 3 weeks ago

kimkil94 commented 3 weeks ago

Hello, We are using S3 as persistence storage for DocumentServer. For extraconf parameters this guide leads us to use ConfigMap. Is there another way to handle those secrets to not store them in ConfigMap as plaintext? Its not very secure when you are using IaC and need to store "local.json" with extraconf params in Git as well.

{
    "storage": {
                  "name": "storage-s3",
                  "fs": {
                          "folderPath": "",
                          "urlExpires": 900,
                          "secretString": "XXXXXXXXXXX"
                  },
                  "region": "us-west-2",
                  "endpoint": "https://s3.us-west-2.amazonaws.com/",
                  "bucketName": "XXXXXXXXXX",
                  "storageFolderName": "files",
                  "urlExpires": 604800,
                  "accessKeyId": "AKIAXXXXyyyyyyy",
                  "secretAccessKey": "XXXXXyyyyy",
                  "sslEnabled": false,
                  "s3ForcePathStyle": false,
                  "externalHost": ""
    }
}

Thank you in advance

GeorgeONLYOFFICE commented 3 weeks ago

Hello,

To solve this issue you can keep either the entire encrypted local.json file on git or just the required keys values. For encryption/decryption in a cluster you can use either [Sealed Secrets] https://github.com/bitnami-labs/sealed-secrets or a more-recommended [Mozilla SOPS] https://github.com/getsops/sops