abra app secret get <domain> <secret-name>
#480
Labels
No Label
abra
abra-gandi
awaiting-feedback
backups
bug
build
ci/cd
community organising
contributing
coopcloud.tech
democracy
design
documentation
duplicate
enhancement
finance
funding
good first issue
help wanted
installer
kadabra
performance
proposal
question
recipes.coopcloud.tech
security
test
wontfix
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: coop-cloud/organising#480
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
For the autoconfigurator https://git.coopcloud.tech/moritz/alakazam I need to exchange secrets between several apps.
abra app secret get <domain> <secret-name>
would be a very useful command.The current workaround is to run
abra app run <domain> <container> cat /var/run/secrets/<secret_name>
.The problem with this command is that the app already needs to be deployed and I need to know which container holds the secret.
Update
These are the possible approaches how to implement it:
cat /var/run/secrets/<secret_name>
inside the container/var/lib/docker/containers/<container-id>/mounts/secrets/<secret_id>
of the host servercat /var/run/secrets/<secret_name>
For
1.
and2.
abra should automatically select the correct container, so the user don't need to know the container. The disadvantage of these approaches is that there need to be a running container. It won't work for new apps that are not yet deployed or for crashed container. Approach3.
would solve this issue, but it would create a lot of overhead by launching a new container just to read the secrets.abra app secret get <domain> <secret-name>to `abra app secret get <domain> <secret-name>`👍
Maybe
abra app secret list --machine
to get a list of secrets? Altho the current implement ofsecret ls
doesn't list which container holds the secret. This could be added perhaps?coop-cloud/backup-bot-two#28
Maybe the backupbot container could be used for this command. Another idea would be to start a very lightweight container and attach all secrets to it. But running this command would take a lot of time if always a whole container needs to be started.
It could be solved another way by accessing
/var/lib/docker/containers/<container-id>/mounts/secrets
via ssh.A way for exporting and importing all secrets would be very nice for migrating an app to another server.
abra app secret list <old_domain> --machine | abra app secret import <new_domain> -
Unfortunately via
/var/lib/docker
only secrets that are mounted into a running container are accessible. So the only way to access a secret that is not mounted inside a container is to mount it into a container...For estimating the the runtime overhead:
This took about 12s-20s independent of the number of secrets.
There is another way to get secrets that are not mounted to any container without creating a container.
https://medium.com/lucjuggery/raft-logs-on-swarm-mode-1351eff1e690
Using the tool
swarm-rafttool
I can read the content of a secret referenced by its id or name from the raft log.Execution time is about 4s.
On the test server the Raft log is about 130MB, this is way too large for downloading it for dumping the secrets.
The question is how to get the go binary on the server?
@moritz Since we already have a lot of these dependencies, we could just re-work the code from the command itself? Some copy/pasta and delete because we know we only need the secret handling code. See
f082dd7a0c/cmd/swarm-rafttool/dump.go (L250-L463)
Sounds good?I think we can use it as it is instead of extra copy/pasta code maintenance. I doubt we can integrate the code directly in abra, because it should be executed on the server side, as it needs to read the raft log. The only way to completely integrate it into abra would be to download the whole raft log, but this can be huge.
Do you have a better idea than building a binary that comes together with abra and abra copies it to the server to parse the raft log? Or is there some magic way for remote go code execution?