Last active
February 13, 2020 20:41
-
-
Save wstrange/e4be53ee650f24c23efa7f6f67f49935 to your computer and use it in GitHub Desktop.
Idea for a secret generator
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# A CRD that describes secrets required by the platform, how to generate/find them, | |
# how to mount them, etc. | |
# This should be able to cover all FRaaS and CDM use cases: | |
# 1) All random secrets every time this CRD is deployed | |
# 2) All secrets come from the GCP SM - assumed to be pre-created | |
# 3) Pull secret from GCP SM if available, otherwise generate random, then store in GCP SM for future use | |
# 4) Random on first install, but prefer an existing K8S secret if available | |
# 5) Other combinations of the above... | |
kind: org.forgerock.SecretSpec | |
apiVersion: betav1 | |
metadata: | |
name: platform-secrets-spec | |
# This is namespaced resource. If we want secrets across namespaces we should | |
# create multiple instances. | |
namespace: prod | |
spec: | |
# Spec for how to interface to a secret source | |
# The built in source "kubernetes" is provided - i.e. an existing k8s secret | |
secretSource: | |
# A platform secret source - e.g. GCP Secret Manager | |
- name: sm | |
gcp: | |
project: blah-blah | |
# A source that generates random 32 char values | |
- name: random32 | |
random: | |
length: 32 | |
# A source for TLS certs | |
- name: tls-rsa | |
rsa: {} # todo... | |
# This section is the default treatment of secrets unless it is specifically overridden | |
# TODO: Can we get rid of this default section by enhancing the secretSource above with | |
# priority info. | |
secretDefaults: | |
# An ordered list of how to lookup the secret. If not found in the first source, try the second, etc. | |
# sm -> look up in the gcp secret manager first (if one is defined) | |
# kubernetes -> Use the existing k8s secret of the same name | |
# random -> generate a value. | |
source: [ "sm", "kubernetes", "random32"] | |
# Where to save the secret. Saves to *all* destinations in the list | |
# The example below saves to a k8s secret (if required), and the secret manager | |
destination: ["kubernetes", "sm"] | |
# Needs more thought - but the idea is if the secret itself is | |
# encyrpted with a master password. For example, an AM instance key | |
encrypted: {} | |
# Now we list all the secrets. The idea is to make it easy to introduce new secrets | |
# Todo: What about keystores, TLS certs, etc? | |
secrets: | |
# Each secret has a unique name. A k8s secret with this name will be created. | |
# For this secret we use all the defaults | |
- name: idrepo-admin-password | |
# The secret below can only come from the secret manager | |
- name: oauth2-idm-client-secret | |
source: ["sm"] | |
# Getting fancy here... the spec below deterimines how | |
# the secret gets presented to a pod (env var or mounted). | |
# To keep it simple - follow a convention. | |
# This would be implemented by an admission controller | |
podSelector: | |
# Inject as env var | |
env: | |
# Match label expression. | |
# https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ | |
app: amster | |
# Or a secret file. Mounted at /var/run/secrets/$secret-name | |
path: | |
# Again - a match label expression | |
app: amster | |
# todo: | |
# What about secret rotation? | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment