search

microsoft / service-fabric

Service Fabric is a distributed systems platform for packaging, deploying, and managing stateless and stateful distributed applications and containers at large scale.
https://docs.microsoft.com/en-us/azure/service-fabric/
MIT License
3.03k stars 401 forks source link

Question Service Fabric - Getting Secrets inside containers #794

Open nareshkhatri81 opened 6 years ago

nareshkhatri81 commented 6 years ago

Team,

i was looking in to service fabric secret mgmt. https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-application-secret-management

i am thinking is it possible to use this inside containers ? it uses certificate for encryption and decryption which are stored on host. As containers runs in its own isolation, will they be able to retrieve secrets ?

ConfigurationPackage configPackage = this.Context.CodePackageActivationContext.GetConfigurationPackageObject("Config"); SecureString mySecretValue = configPackage.Settings.Sections["MySettings"].Parameters["MySecret"].DecryptValue()

do we need to install certificate inside containers for decryption to work ?

Thanks, Naresh Khatri

mani-ramaswamy commented 6 years ago

There is an issue with the exported cert https://github.com/Azure/service-fabric-issues/issues/448 that is fixed in 6.2. Meanwhile, adopt the second approach highlighted in the doc:

https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-securing-containers

nareshkhatri81 commented 6 years ago

@mani-ramaswamy - Thanks for providing information about export certificate inside containers. @rakshitatandon - I have few questions. Once we export certificate inside containers which C#APi we should use to Decryptsecrets using certificate ?

for Decrypt secrets inside containers, this is api which is mentioned in https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-application-secret-management

ConfigurationPackage configPackage = this.Context.CodePackageActivationContext.GetConfigurationPackageObject("Config"); SecureString mySecretValue = configPackage.Settings.Sections["MySettings"].Parameters["MySecret"].DecryptValue()

We dont have SF runtime context inside containers so above API will not work ? or is there way to get SF runtime context inside containers ?

Powershell which encrypt secret is

Invoke-ServiceFabricEncryptText -CertStore -CertThumbprint "" -Text "mysecret" -StoreLocation CurrentUser -StoreName My

can i get corresponding C# API to Decrypt secrets inside containers ? which algorithm is used by Encrypt powershell api ?

Thanks, Naresh Khatri

masnider commented 5 years ago

Greatly depends on the type of secret and the pattern that you're using. @dragav and @erikadoyle to confirm that the docs list current best practices. I don't think that normally we would be expecting you to use the "secret encrypted in config" pattern with containers, especially in Azure, where better models exist now.