We're able to provide an SSH key to slugbuilder pods created via the deis builder by setting an SSH_KEY variable for the app. This works well for things like bundling private github repos during the build, but the downside is that anyone who has access to the app has access to the SSH private key.
This isn't very secure. For example, if someone leaves an organization and they grabbed the SSH key at some point, they would still have access to whatever that SSH key is used for. In many cases this will give read-only access to something like github. To ensure that their access has been revoked, we would need to rotate this key for each app that uses it.
It would be much better if we could use a kubernetes secret to provide the key. It could be specified in values.yaml and passed as part of the slugbuilder env when builder creates one. This would give better access control and make it so we don't have to set the SSH_KEY variable for each app that needs to use it.
I can work on a PR if this sounds like a good idea.
From @roybotnik on May 11, 2017 12:21
We're able to provide an SSH key to slugbuilder pods created via the deis builder by setting an SSH_KEY variable for the app. This works well for things like bundling private github repos during the build, but the downside is that anyone who has access to the app has access to the SSH private key.
This isn't very secure. For example, if someone leaves an organization and they grabbed the SSH key at some point, they would still have access to whatever that SSH key is used for. In many cases this will give read-only access to something like github. To ensure that their access has been revoked, we would need to rotate this key for each app that uses it.
It would be much better if we could use a kubernetes secret to provide the key. It could be specified in values.yaml and passed as part of the slugbuilder env when builder creates one. This would give better access control and make it so we don't have to set the SSH_KEY variable for each app that needs to use it.
I can work on a PR if this sounds like a good idea.
Copied from original issue: deis/builder#515