[FEATURE] secret support

score-spec / spec

The Score Specification provides a developer-centric and platform-agnostic Workload specification to improve developer productivity and experience. It eliminates configuration inconsistencies between environments.

https://score.dev/

Apache License 2.0

7.81k stars 2.2k forks source link

[FEATURE] secret support #76

Closed garthy closed 1 week ago

garthy commented 7 months ago

Detailed description

It would be nice if secrets were supported as a first class resource. They could be generated and stored then used to create/access the resource and be passed around securely as well as the platform supports and stop writing them to state/config files. eg:- docker-compose output snippit

    workload-one-example:
        command:
            - -c
            - while true; do echo $${CONNECTION}; sleep 5; done
        depends_on:
            wait-for-resources:
                condition: service_started
                required: false
        entrypoint:
            - /bin/sh
        environment:
            CONNECTION: redis://default:XfygjA6Kxtb6mfXZ@redis-FUxtcv:6379
        hostname: workload-one
        image: busybox

Context

secure deployment and configuration and stop secrets getting wrtitten into files and environments

Possible implementation

using docker(-compose) secrets/k8s secrets a secret could be created Then used to create and protect the resource And then used to access the resource.

Additional information

No response

github-actions[bot] commented 7 months ago

Thank you for your issue. Give us a little time to review it.

PS. You might want to check the FAQ if you haven't done so already.

This is an automated reply, generated by FAQtory

astromechza commented 5 months ago

@garthy thanks for filing the request.

Currently secret outputs from resources being injected into envvars and file mounts are handled by the Score implementations themselves.

Eg: score-k8s will expect the secret to be present in a Kubernetes Secret and then if this is used in an env var or file will use projected volumes or K8s-specific tools to securly mount the secret.

You can create a secret as an output from a resource in score-k8s like this: https://github.com/score-spec/score-k8s/blob/e675f961ad1bf1123bc6efb0a3d1ad17bd657c58/internal/provisioners/default/zz-default.provisioners.yaml#L141

We didn't do this in score-compose because the docker secrets require swarm mode.

It's a good question whether there is a generalisable way of doing this that we could pull into the spec itself. It may be tricky since different runtimes support different interpolations, mount strategies, content lengths, and structures so it may not be possible.

astromechza commented 1 week ago

Going to close this as I think as score-k8s provides good guidance as to how secrets should be handled, if we want to open this as an issue against specific score implementations like score-compose, we can do that.

garthy commented 1 week ago

You mentioned docker secrests (Which require swarm) but docker-compose allows configuring things marked as secrets which is better than nothing?