Comments (6)
rnpridgeon
commented on August 16, 2024
We should actually build a base jinja template which includes all shared configuration values such as ZOOKEEPER_CONNECT. Then each service can simply extend this speeding up initial setup of a service within the docker repo.
from cp-docker-images.
arrawatia
commented on August 16, 2024
In general, it is not recommended to use ENV vars for secrets in docker. There is lot of discussion on the issue of managing secrets in docker. I have summarized it below
TL;DR
Passing secrets in env vars is bad. The best way for making secrets available to the container is using volumes (Kubernetes does it this way). The basic idea is that you create a mount point for secrets, something like /etc/secrets and the provisioning system puts the secrets in a volume and maps it to the docker container. So, if you are doing it manually for Kafka, you would create a directory on the host, add JKS file and credentials (in a file) and map this directory to /etc/secrets. The configure script will read this dir and add the credentials to the config.
There are various ways of storing secrets and mounting them on a volume for the container, some of which are linked in "Secret management in Docker" section below.
Why ENV vars are bad for runtime secrets ?
- http://elasticcompute.io/2016/01/21/runtime-secrets-with-docker-containers/
- http://movingfast.io/articles/environment-variables-considered-harmful/
- https://superuser.com/questions/708355/is-it-safe-to-store-critical-passwords-in-server-environment-variables
General discussion on "Secrets in docker"
- Secrets: write-up best practices, do's and don'ts, roadmap
- Managing secrets in compose
- Proposal: The Docker Vault
- Does Swarm support the sharing of "secrets"? E.g. encrypted files with passwords in them.
- How to manage secrets in a Microservice / Container / Cloud environment?
Secret management in Kubernetes:
Secret management in Docker
- Keywhiz + docker volume plugin (conceptually same as Kubernetes design):
- Using Hashicorp Vault (the docker community seems to like this):
- Using Hashicorp Vault (using secrets volume similar to Kubernetes):
- Using S3 to manage secrets (by Codahale):
from cp-docker-images.
arrawatia
commented on August 16, 2024
@theduderog what's your take on this ?
from cp-docker-images.
theduderog
commented on August 16, 2024
I agreed that ENV vars are not a good way to pass secrets to containers b/c they're easy to leak. It seems like managing secrets in Docker is similar to "service discovery" in that there is no standard way to do it. Perhaps our default could be to expect a volume to be mounted with the secrets present but we need to allow people to plugin arbitrary code to get their secrets. I guess they can do it by overriding the "configure" step?
from cp-docker-images.
rnpridgeon
commented on August 16, 2024
Makes sense to me
from cp-docker-images.
arrawatia
commented on August 16, 2024
Implemented in #11.
from cp-docker-images.
Related Issues (20)
- RHSA-2021:1024 - Security Advisory HOT 1
- Running the processes in cp-kafka-rest pod with non root user account HOT 1
- License details for using cp-kafka-rest docker image in Azure cloud HOT 1
- Kafka docker images for arm64
- what is the correct healtcheck for a cp-kafka container? HOT 1
- Forked project for Raspberry Pi (arm64) support HOT 2
- confluentinc/cp-kafka:latest docker doesn't work in DinD setup HOT 1
- Failing to extend the cp-kafka-connect-base:7.0.1 image HOT 1
- SSL Kafka handshake failed over docker HOT 4
- Determine actual Kafka version that is being used inside confluentinc/cp-kafka:6.2.2 image. HOT 2
- Confluent community confluentinc/cp-kafka:7.0.1 giving ClassNotFoundException:io.confluent.metrics.reporter.ConfluentMetricsReporter HOT 1
- it seems kafka is not needed for creating cloud native application HOT 1
- How to run multiple kafka-connect replicas in kubernetes HOT 1
- Overriding Consumer, Producer Configuration via Env Variables HOT 2
- cp-enterprise-replicator image available for arm64? HOT 1
- Dockerized connect - CONNECT_LISTENERS & CONNECT_REST_ADVERTISED_**
- ZooKeeper sometimes fails to boot with NullPointerException
- !! Leader Election Issue in Schema Registry, On leader deletion. HOT 1
- confluentinc/cp-kafka:5.0.1 image make issues HOT 1
- Facing issue on multiple kafka connect for debezium mssql connector and zeebe using confluent operator
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cp-docker-images.