Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How do we mask sensitive config information? #397

Closed
tim-chaffin opened this issue Apr 24, 2024 · 4 comments
Closed

How do we mask sensitive config information? #397

tim-chaffin opened this issue Apr 24, 2024 · 4 comments

Comments

@tim-chaffin
Copy link
Contributor

While reading the https://github.com/PacoVK/tapir/blob/main/docs/configuration.md file we are asked to set values which are sensitive by nature, such as BACKEND_AZURE_MASTER_KEY, AZURE_BLOB_CONNECTION_STRING, AUTH_CLIENT_SECRET and so on.

It's not clear in the docs how best to mask or secure these secrets. We could be doing a k8 namespace opaque secret, or something similar. But I'm unsure what works best with the container, when running in k8.

If you can help me understand how to implement a secret with Tapir, I'd be happy to add that to the docs as well.

@PacoVK
Copy link
Owner

PacoVK commented Apr 25, 2024

Indeed secret injection was intentionally left quite open. Tapir needs the values as environment variables and depending on the actual runtime there are different approaches.

In K8s context you can use opaque secrets, you may also have a dedicated secret management (e.g. Hashicorp Vault, Aws secretmanager,...) that offer different ways to inject values as ENV to the pod during runtime. One common way in K8s could also be to go through external secrets operator which has quite some flexibility.

Hope that helps ✌️

@tim-chaffin
Copy link
Contributor Author

Added a PR, if you'd like to include this documentation.

@PacoVK
Copy link
Owner

PacoVK commented Apr 27, 2024

@all-contributors add @tim-chaffin for docs

Copy link
Contributor

@PacoVK

I've put up a pull request to add @tim-chaffin! 🎉

PacoVK pushed a commit that referenced this issue Apr 27, 2024
Adding a blurb instructing the user how to configure and secure values with sensitive information.
@PacoVK PacoVK closed this as completed Apr 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants