grouper-study - Re: [grouper-users] Containerized Grouper and Secrets
Subject: grouper-study
List archive
- From: Greg Haverkamp <>
- To: Jack Stewart <>
- Cc: , csp study grouper <>
- Subject: Re: [grouper-users] Containerized Grouper and Secrets
- Date: Wed, 25 Apr 2018 10:02:57 -0700
- Arc-authentication-results: i=1; mx.umich.edu; iprev=pass policy.iprev=128.3.41.68 (fe3.lbl.gov); spf=pass ; dkim=none; dmarc=bestguesspass ; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; d=umich.edu; s=arc-2017-08-04; t=1524675783; c=relaxed/relaxed; bh=GHFZ31LZ/68k+wjAThVKivNm5UOFo62AyQZrtte+csw=; h=In-Reply-To:References:From:Date:Subject:To:Cc; b=xvgOjddTdJeon9Av/aS10YXPtj1m6wzfXkdd9Rb3I4O36bAZpbziiPpAsigjrHPRzFd4/yIcbJ9pLlYV08OJOm7dN1dD8NQCqXAiMKRYvmQj5gBNjObTIe2ibr5iz9IP5A9RJJbtecDWPouZvGJAYt+FU8JsXMVmHd+9ggE79Nc7KtIHbsfSecM62uj78pSj+cl0FgOXfTPZxDYdhNLnsRtVDQVHelzc9xd6jq/wPQYle0BMfYN0k04UXS8vaYxWbpXj3ssdZ+GwvSytr/36aheIVXfDQ88z7lC2XCDaOTHGlvRj2PBI8TzAWpf8oI5dlX18/z3NpbgMb8eFoZ400Q==
- Arc-seal: i=1; a=rsa-sha256; d=umich.edu; s=arc-2017-08-04; t=1524675783; cv=none; b=x7LrqIT9P4z5AfaLnKQtyoqX0wOfLkTMIlUCSOJKVgT7O6mY+UYBFxjaBfL1PELgScnfySiFUZHKd1XqokBKbv037+8slMSvhSu1GwgfYd9pDCfBhgboOOsmHpsZe45BudJYnl9n77Wa6sELzn4igujU1lHglWHr+2JZic+nKRVv44iaAdFIzMRDmMnP1S7bQpsDj0+fyZu78Qyw8RJ9m/n7/HL838eqSbNq1xnszETOz8AEwGZtP6N1rnwSSenDYcnR8q4oxcYsx3o32P0PxRSgxDIChs9ODMdsubF7thX6sBqpAqqH+WE16y4rShqjD9HyJK37kQsr8b5DjfGQgg==
- Ironport-phdr: 9a23:Y1/qMBPWy9+7/nY9SBIl6mtUPXoX/o7sNwtQ0KIMzox0I/3yrarrMEGX3/hxlliBBdydt6ofzbKO+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZLebxlGiTanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPdeRWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbYUwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0vRz+s87lkRwPpiCcfNj427mfXitBrjKlGpB6tvgFzz5LIbI2QMvdxcLndfdcHTmRfWMhfWTFKDoelY4YOCuYMO/tToYvgqFsUtRaxBwesCuPhxDFLm3H4w7E13v87Hg3axgEtBc4CvGjWodjzKawcUfq1zK7NzTjbbv1Wwyny6IfVeR4ju/6MQ6x/cdDSyUY1EgPFlkibpIvqPzyP1uQCqXab4PR6VeKskWEnrhlxryOrxsg3jonFnI0Vylfa9Shgxos+ONO2SEl+YdG+EZtQsTmXN4RxQsMlTGFovDg1xqcatp68eSgHzoksyR3Ha/GffYWF4gjvWPuQLDtmnn5oeLayiwyx/EWj0uHwSNW43VJQoidGktTArG4B2wHQ58SdSPZx4EGs0iuV2Q/J8OFLO0U0mLLbK5E/xr4wkYIesUPYESDohUr2jbGZdkM4+uSx8OTnY7rmqYSdN49ykA3xLKsumtahDuQjKQgCRXKU9f651LL5/E35RK9GjuAzkqnYrJ/aJd4XqbCkDA9Iyooj6hC/ACm60NkAk3QKLEhJdA+GgoT3IV3DIPT1Ae28jlmviDtrwurJPrzlApXDNHjDl7LhcK5h5E5H0Ao/18tf545JCr4cIPP/QEDxtMbfDh8kKwy73fznBMxj2YMEQ2KPBbWZMLjJvF+V4+IvIvWDZI8PtDnjNvcl+ubijWUlll8FYampwZwXZWi3HvR8JEWZfGLsjckbEWsTpQo+UPHqh0CCUDNIY3ayXrk85i0gCI64F4vDR4atgKCf0yehGJ1ZeHxGBk6WHXj2aoqERqREVCXHAMZqkXQ/SbW+QpU9nUWrthTmxqVPM+/V8S1euJ7+gotb/erWwD4o+DM8L82D3nuORmRs1jcHTj8/wq1lokV40n+H26w+jPtGQ48Ar8hVWxs3YMaPh9dxDMr/D0eYJomE
On Wed, Apr 25, 2018 at 9:48 AM, Jack Stewart <> wrote:
I would like to start out by saying that the new role-based Grouper containers are great! It was very easy to build the images.
Are you referring to the TIER image?
Now my question is, what are other schools doing with regard to their Grouper configurations? Are you "burning them into" storing them in the containers themselves, or are you using secrets?Converting an application like Grouper to use secrets would be a LOT of work. Effectively, you would need to convert all of the settings to environment variables. How would you deal with the sources.xml files which, by design, need to be customized?
We had just been wrestling with secrets-management, and I was mid-roll-out of Hashicorp Vault as a generalized solution. So, in my current form, which I just deployed last week, I take the TIER image, use Docker Secrets to bootstrap the Vault credentials, and then use consul-template to present the secrets to Grouper. I store all of the generated config files in a tmpfs volume, so they go away when the container is stopped. I've got a few more tweaks, but I'm largely pleased with where it is now.
I decided to go the Vault route for a couple of reasons. One was that I already had Vault running, though not actually doing much. The other was that we have other plans for Vault and secrets management that Docker Secrets don't solve, in particular around dynamically generated secrets. (Now that Vault can dynamically generate Google Service Account keys, I'm looking at modifying the google-apps-provisioner to deal with JSON files... That, or I'll write a consul-template plugin to write out a pkcs12 file.) And finally, we didn't really want to be wedded to Swarm. Swarm is conveniently for on-prem, but that's not where we see our future.
Greg
Many thanks,Jack--Jack StewartSolutions Architect, Identity and Access ManagementUniversity of Michigan(734) 764-0853
- Containerized Grouper and Secrets, Jack Stewart, 04/25/2018
- Re: [grouper-users] Containerized Grouper and Secrets, Christopher Hubing, 04/25/2018
- RE: [grouper-users] Containerized Grouper and Secrets, Hyzer, Chris, 04/26/2018
- Re: [grouper-users] Containerized Grouper and Secrets, Jack Stewart, 04/26/2018
- Re: [grouper-users] Containerized Grouper and Secrets, John Schrader, 04/29/2018
- Re: [grouper-users] Containerized Grouper and Secrets, Christopher Hubing, 04/30/2018
- Re: [grouper-users] Containerized Grouper and Secrets, John Schrader, 04/29/2018
- Re: [grouper-users] Containerized Grouper and Secrets, Jack Stewart, 04/26/2018
- RE: [grouper-users] Containerized Grouper and Secrets, Hyzer, Chris, 04/26/2018
- Re: [grouper-users] Containerized Grouper and Secrets, Greg Haverkamp, 04/25/2018
- Re: [grouper-users] Containerized Grouper and Secrets, Christopher Hubing, 04/25/2018
Archive powered by MHonArc 2.6.19.