4.3 KiB
title
| title |
|---|
| Managing secret data |
Managing secret data
Co-op Cloud uses Docker Secrets to handle sensitive data, like database passwords and API keys, securely:
DOCKER_CONTEXT=swarm.example.com docker secret ls
example_mediawiki_db_password_v1
example_wordpress_db_password_v1
abra includes several commands to make it easier to manage secrets:
abra app <app> secret generate-- to auto-generate a single secret, or all secrets defined by the app, and store them in the Docker Swarm store,abra app <app> secret insert-- to insert a single secret value from the Docker Swarm store,abra app <app> secret delete-- to remove a single secret, or all secrets defined in the app, from the Docker Swarm store.
Secret versions
You will notice v1 in the example secret names above: like Docker Configs, Docker Secrets are immutable, which means that their values can't be changed after they're set. To accommodate this, Co-op Cloud uses the established convention of "secret versions". Every time you change (rotate) a secret, you will insert it as a new version.
Because secret versions are managed per-instance by the people deploying their apps, secret versions are stored in the .env file for each app:
find -L ~/.abra/servers/ -name '*.env' -print0 | xargs -0 grep -h SECRET
OIDC_CLIENT_SECRET_VERSION=v1
RPC_SECRET_VERSION=v1
CLIENT_SECRET_VERSION=v1
...
If you try and add a secret version which already exists, Docker will helpfully complain:
abra app example_wordpress secret insert db_password v1 foobar
Error response from daemon: rpc error: code = AlreadyExists desc = secret example_wordpress_db_password_v1 already exists
By default, new app instances will look for v1 secrets.
Generating secrets automatically
You can generate secrets in one of two ways:
- While running
abra app new <type>, by passing--secrets - At any point once an app instance is defined, by running
abra app <app> secret generate ...(seeabra help secret generatefor full options)
!!! note "How are secrets generated?"
Depending on how the app is configured, you will require the `pwqgen` (from `passwdqc`) and `pwgen` binaries by default, although you can specify your own password-generation app when running `abra <app> secret generate` by providing the `<cmd>` argument.
Inserting secrets manually
For third-party API tokens, like OAuth client secrets, or keys for services like Mailgun, you will be storing values you already have as the appropriately-named Docker secrets. abra provides a convenient interface to the underlying docker secret create command:
abra app example_wordpress secret insert db_password v2 "your-secret-here"
Rotating a secret
So, given how secret versions work, here's how you change a secret:
- Find out the current version number of the secret, e.g. by running
abra app example_wordpress config, and choose a new one. Let's assume it's currentlyv1, so by convention the new secret will bev2. - Generate or insert the new secret:
or
abra app example_wordpress secret generate db_password v2abra app example_wordpress secret insert db_password v2 "foobar" - Edit the app configuration to change which secret version the app will use:
abra app example_wordpress config - Re-reploy the app with the new secret version:
abra app example_wordpress deploy
Storing secrets in pass
The Co-op Cloud authors use the UNIX pass tool to share sensitive data, including Co-op Cloud secrets, and abra <app> secret... commands include a --pass option to automatically manage generated / inserted secrets:
# Store generated secrets in `pass`:
abra app new wordpress --secrets --pass
abra app example_wordpress secret generate --all --pass
# Store inserted secret in `pass`:
abra app example_wordpress secret insert db_password v2 --pass
# Remove secrets from Docker, and `pass`:
abra app example_wordpress secret rm --all --pass
This functionality currently relies on our specific pass structure; patches to make that configurable are very welcome!
What makes secrets secure?
TODO