Skip to Content.
Sympa Menu

grouper-study - Re: [grouper-users] Containerized Grouper and Secrets

Subject: grouper-study

List archive

Re: [grouper-users] Containerized Grouper and Secrets


Chronological Thread 
  • From: Christopher Hubing <>
  • To: Jack Stewart <>
  • Cc: , csp study grouper <>
  • Subject: Re: [grouper-users] Containerized Grouper and Secrets
  • Date: Wed, 25 Apr 2018 16:59:31 +0000 (UTC)
  • Arc-authentication-results: i=1; mx.umich.edu; iprev=pass policy.iprev=104.47.38.121 (mail-bl2nam02on0121.outbound.protection.outlook.com); spf=neutral ; dkim=none; dmarc=none ; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; d=umich.edu; s=arc-2017-08-04; t=1524675580; c=relaxed/relaxed; bh=PGy5rHtD4jmfRR7phCiDe1D703y1HlUbkLMKHatZw1Q=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=l0GI2QijhepGi4l+nzAZ3BQj2FiaSJEqTy7aqQNKPCnSW9L8mcf/OKm016+EgXUoJ2C4kG1VcsliWrl1xSSggkCQboiGml4YnOY/K7A6wLZ70l3V1wAY0PxYKHpATIO0bf0qaz2CAglINQHvAI2DQxtXWHgJcdd9iGtTQ/9K81dZOfq8E1hl+GKK7MNVvJ5v4RhSKK3B9Uxu1ALDgv54LjmVAql+KEgqcsEozEU7yM5rqZ7YzVZmOTAfF9AwMEPZexBaujk3zoXZBMXlsGHOSTNH0x1q/Wq3WIXKX0SleeE6Lpba8R69oEDcPj9josKUrMX8GwmALHsKMw8ROEWI1w==
  • Arc-seal: i=1; a=rsa-sha256; d=umich.edu; s=arc-2017-08-04; t=1524675580; cv=none; b=HRzkCrWbV0VUz55gb6CwhFHHdFqTcpb7vekc3tRhfJAibM7SS2QluN47n+aN8uGPSCaqBpBht2Y+xB1tm1Hij/8/5EVqcKWgXBrADPOBDJgkCtDEcCr+LeMLh0zO0g6++3wXBw3v9K3X8Ua+uwo3nVtuuyqJGysBIHsGAKBtBuJQtrvKoPUNgCx+V+Xdi+HHVdecDP3XS3MQEQHW/Iw88ZmGZ7TWoiHIGwmCCFZJ8pitUheJOPS6IDDmoBeEbseWNPW/rNctbuDTT0JjszWcCH5laZTmEUmd2+HRfHRunTm6NDcqSyzL14M4goqBeTZ2JaqkRqkmr5l1eC89O5N3pw==
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:OfvY2xB4Ia/oLEOB/eiPUyQJP3N1i/DPJgcQr6AfoPdwSPX5psbcNUDSrc9gkEXOFd2Cra4c0KyO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fcbglUijexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Qiqp4bt1RxD0iScHLz85/3/Risxsl6JQvRatqwViz4LIfI2ZMfxzdb7fc9wHX2pMRshfWSxfDI2hbYQBDOQBMuhXoIbhplsDth6+CRW2CeLv1jNFnH370Ksn2OohCwHG2wkgEsoQvXTUttX1NbwSUfyyzKnQzTXMcelW0ir/5ojVaR8hoPeMXb1tesfW1UYvFx7FgU6RqYzjMDOYzeUNs26H7+V+T+KvjXAoqx1vrjS12Mgjl5TJi5sTx1vZ+yt5x4M1Kse5SE59edOkEZ1Qtz2EOItsRMMtXX1otDggxrIYpJG7YS4Hw4kkyR7Hc/GKfYiF7gj+WOuQPzt0nnJodbalixux8kWs0u3xW8au3FpXrCdIksPAum0P2hDJ5cWKRP1w9Vq71zmVzQDc8ORELFg0laXFL54hxaY9lp0IvkvdAyD2mVv5jKmKdkk94eio6uvnba7npp+aLYN7lA7+Mr4wlcykGuQ0KBIBU3Ke+eum1b3j+Vf1QKhPjv03jqbZsIrWKtoGqa6kGwNV04Aj5AijDzq+3tkVnWMLIE9EdR6ZlYTkO1XDLOr7APq8m1islS1kx/HCPr3vGJXNKX3Dna/9crZm805Q0hEzzcxC551JCrANOv3zWlX2tNzFFh82LRa0z//5B9VnzIMeXniPArSCPaPPtF+I5/4gI+mWaIALpTn9NuAp5+Tygn8hhV8dYa6p0IMYaHCiGfRmPl2ZbmT2gtsYCmcKohc+Q/HqiVCZVT5TZm2yX74n5j0lEo6mDIHDRpyzj7yb2ie0AIFWan5cBl+SDHjoatbMZ/BZSiuZIYdajjEbXKK9A9sk1wqyuRDS1r9mJeqS9yEF48HNzt9wssbTjxAp6TtsD8mHm0GQRWBykStcTD8r1qF5rmR8zEuOy651n6YeGNBOsaAaGjwmPILRmrQpQ+v5XRjMK5LQEA6r
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99


For I2, we are storing secret things in an encrypted S3 bucket. The build host has access to read from it, and then pushes the images to a private Elastic Container Repo. The containers run in ECS.

Here's an example of our Dockerfile for the UI:
https://github.internet2.edu/gist/chubing/c4e663ab5a39fb73dccdcd748a92c5fe

Since the new Grouper container is pushed to Dockerhub (and have tags for patches), it should make it pretty easy to manange (hopefully).

-c

On Wed, 25 Apr 2018, Jack Stewart wrote:

Everyone,
I would like to start out by saying that the new role-based Grouper
containers are great!  It was very easy to build the images.

Now my question is, what are other schools doing with regard to their Grouper
configurations?  Are you "burning them into" storing them in the containers
themselves, or are you using
secrets?

Converting an application like Grouper to use secrets would be a LOT of work. 
Effectively, you would need to convert all of the settings to environment
variables.  How would you deal with
the sources.xml files which, by design, need to be customized?

Many thanks,
Jack


--
Jack Stewart
Solutions Architect, Identity and Access Management
University of Michigan
4251 Plymouth Road
Ann Arbor, Michigan 48105-3640
(734) 764-0853




Archive powered by MHonArc 2.6.19.

Top of Page