Read secrets inside of Redhat OpenShift online?
I have gotten a Redhat OpenShift online starter vps, for hosting my discord bot. I've uploaded it to github, minus my discord token and other API keys, of course :^)
How would I get OpenShift to use store and read client secrets? I'm using the nodejs8 framework if that helps.
Secrets have no place in a source version control hosting service like GitHub.
Regarding OpenShift, it includes Secrets, an encoded-64 configmap in which you can inject confidential information.
But that long-term confidential information storage (to be injected in OpenShift secrets) ought to be stored in a proper Vault.
Like, for instance, the Hashicorp Vault, as described by the article "Managing Secrets on OpenShift – Vault Integration"
The rest describes that solution, but even if you don't use that particular host, the general idea (an external vault-type storage) remains:
- An Init Container (run before the main container of a pod is started) requests a wrapped token from the Vault Controller over an encrypted connection.
Wrapped credentials allow you to pass credentials around without any of the intermediaries having to actually see the credentials.- The Vault Controller retrieves the pod details from the Kubernetes API server.
- If the pod exists and contains the vaultproject.io/policies annotation, the Vault Controller calls Vault and generates a unique wrapped token with access to the Vault policies mentioned in the annotation. This step requires trust on pod author to have used to right policies. The generated token has a configurable TTL.
- The Vault Controller “calls back” the Init Container using the pod IP obtained from the Kubernetes API over an encrypted connection and delivers it the newly created wrapped token. Notice that the Vault Controller does not trust the pod, it only trusts the master API.
- The Init Container unwraps the token to obtain a the Vault token that will allow access to the credentials.
- The Vault token is written to a well-known location in a volume shared between the two containers (emptyDir) and the Init Container exits.
- The main container reads the token from the token file. Now the main container can use the token to retrieve all the secrets allowed by the policies considered when the token was created.
- If needed, the main container renews the token to keep it from expiring.
- node.js: create a connected writable and readable stream pair
- MongoNetworkError: failed to connect to server [localhost:27017] on first connect [MongoNetworkError: connect ECONNREFUSED 127.0.0.1:27017]
- Modified transaction in custom sandbox user not refreshing
- How is child_process.exec('powershell "$userInput = Read-Host;"') handled in node.js?
- Whatsapp-web.js package failing when scanning the QR code
- NPM: npm-cli.js not found when running npm
- protobufjs load from string
- commander.js : how to specify required cli argument
- Why my form validation while logging in is not working?
- MSAL Node service & The Partner Center API
- Get all files within a folder containing string, push filenames to array and return array using Node FS
- How to handle FormData from express 4
- Unable to populate my fields using populate()
- How to add Title in video by ffmpeg on Node JS
- How can I pass custom data to Stripe webhook?
- Mongoose Activity model with dynamic reference
- What approach to take when making a webpage with contact form and using parcel.js 2 bundler
- Client request fails with 502 after 2 minutes
- Mongoose Unique index not working!
- Error : create-react-app Aborting installation
- adding .css file to ejs
- Error: Accessing non-existent property. Module exports in circular dependency
- Iron.seal does not work when user log in
- Meteor GoogleMaps.load() not working on iOS with Iron
- Npm package whatsapp-web.js broke
- error column cannot be null, trying to upload file into sql
- How to encrypt decrypt with Node.js crypto module?
- Deleting `package-lock.json` to Resolve Conflicts quickly
- Time difference function giving negative value
- use helper of handlebars-express in view