appleboy
commented
6 years ago @johnjjung Good catch. something like Use-Case: Pod with ssh keys or Using Secrets as Environment Variables. Right?
Open appleboy opened 8 years ago
appleboy
commented
6 years ago @johnjjung Good catch. something like Use-Case: Pod with ssh keys or Using Secrets as Environment Variables. Right?
johnjjung
commented
6 years ago Thanks! You've got an awesome repo here! @appleboy
Yes, I think there's a very simple way of doing this without you having to modify anything.
I'm just overriding it with a custom command either in docker-compose or kubernetes file to execute a custom deploy.sh script. Add CMD deploy.sh and in your deploy.sh
Basically turn your key files or sensitive credentials into base64 ENV's. In your deploy.sh just do something like:
# this will create your keyfile dynamically from a kubernetes secret or ENV
if [ ! -z "$KEYFILE" ]; then
echo $KEYFILE | base64 -d > /keyfile.p12
fi
# run gorush here with whatever flags you need best way would be to specify the `keyfile.p12` that you've generated in your config file
gorush -c config.ymlThen you can expand without modification and deploy safely.
I'll write this up in a README.me and do a PR for you to review once I prove this concept on this repo. This actually works really well for CI/CD that we're using.
appleboy
commented
6 years ago @johnjjung Waiting for your PR. Thanks. 👍
johnjjung
commented
6 years ago @appleboy
gorush_1 | standard_init_linux.go:195: exec user process caused "no such file or directory"I keep getting this error, I see you're using plugins/base:multiarch docker image, I'm not familiar with it, can you point me in the right direction in debugging this?
I can't seem to do even simple printenv in the docker container.
johnjjung
commented
6 years ago I just changed the Dockerfile to alpine:latest for now, I'll circle back to this
johnjjung
commented
6 years ago Hm... this is proving to be not as straightforward as many things in life...
gorush_1 | time="2017/12/08 - 18:56:43" level=error msg="Cert Error:pkcs12: error reading P12 data: asn1: structure error: tags don't match (16 vs {class:0 tag:19 length:48 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pfxPdu @2" So apparently after I dynamically create a cert.p12 from a base64 env it's having trouble reading it
johnjjung
commented
6 years ago ok got it working now, gotta convert the cert.p12 to a pem file.
beeing
commented
3 weeks ago Hi guys, I know this has been awhile, is there a roadmap to specify different cert via API to support multi-tenancy?
Thanks in advance.
Agreed! in k8s deployments if we can use secrets instead of config maps so that you can load a base64 image of the APN key files, I think would be much better. Otherwise you have to build the docker image with the key file inside and push that to the repo which is terrible practice.
Other way would be to have a deployment script when after the docker file loads to pull it securely from a remote location. Maybe we can do this in the Dockerfile itself where if an ENV is set, then automatically echo $CERTFILE > 'cert.p12' then in k8s secrets you just set it as an SECRET ENV.