Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Containerized Grouper and Secrets

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Containerized Grouper and Secrets


Chronological Thread 
  • From: Greg Haverkamp <>
  • To: Darren Boss <>
  • Cc:
  • Subject: Re: [grouper-users] Containerized Grouper and Secrets
  • Date: Wed, 25 Apr 2018 15:14:08 -0700
  • Ironport-phdr: 9a23:Q+2H+xPL55NCnV7R6Cgl6mtUPXoX/o7sNwtQ0KIMzox0I/z9rarrMEGX3/hxlliBBdydt6ofzbKO+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZLebxlGiTanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPdeRWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbYUwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0vRz+s87lkRwPpiCcfNj427mfXitBrjKlGpB6tvgFzz5LIbI2QMvdxcLndfdcHTmRfWMhfWTFKDoelY4YPCuYMO/tToYvgqFsUtRaxBwesCuPhxDFLm3H4w7E13v87Hg3axgEtBc4CvGjWodjzKawcUfq1zK7NzTjbbv1Wwyny6IfVeR4ju/6MQ6x/cdDSyUY1EgPFlkibpIvqPzyP1uQCqXab4PR6VeKskWEnrhlxryOrxsg3jonFnI0Vylfa9Shgxos+ONO2SEl+YdG+EZtQsTmXOJdsTcMmX25opSI6xaEctp69ZicF1Y4oywTDZPOda4SI7RXjVOGeITd8mn1pYq6whxG38US41uL8Ucy00E5XripZjNbDqmoC1xrJ5ceaUPRx5Fuu1iyJ2gvO6e9EOVg5mbfFJ5Mi2LI9mIAfvEveEiPsmUj7j7eaels49uWs8ejqYbXrqoWCO4NpiQzyKKYjltK5DO8lKAYBRXKb9v651LD7/U32XrFKjvoun6nXrp/XK94XpqqiDA9RyIoj5BG/Dym+3NQZm3kIMk5FdQqag4T3OFzCOv71Ae2wjlixijtmxvPLMqXkAprXL3jDlLnhfax6605Z0AczwspQ55JOBbEfPv3zQEzxu8bdDh8hKAG0x/3oCNFn2oMRXmKPHLeVMLnOvl+Q+uIvP+6MaZcauDbnLPgl+ubugmEjmVMEYKmpxoUYaGqjHvl9J0WZYGHsgssaEWsUpAY+TerqiEGcXj5JYXa9Qb486i8hBI24EIjDW9PlvLvU8C6hBJBQLkpBEUvERXvhbZ+JXbEGbzmJCsRmlyQZSbWqQoko2RjovwasmJR9Ke+B1TcVutrD3cZ4/e7akAl6oTN9D82D3nuORmRstmcCQ3k5274p8h818UuKzaUt268QLtdU/f4cF15iaJM=

On Wed, Apr 25, 2018 at 2:47 PM, Darren Boss <> wrote:
I have not played with EKS but I do know some other companies around the Ottawa area that are although Shopify moved to GKE in a very public way. You can always deploy K8s into AWS if EKS is still rough around the edges on your own but that's becoming a larger commitment to K8s at that point.

Right now, EKS is still in a closed preview.  We don't rate, apparently. :)
 
We are interested in Vault as well, for both K8s deployed application and in conjunction with our Puppet deployments but we aren't quite there yet.

Our plan is to move to k8s, which is one of the reasons I'm hesitant to put much effort into using Docker Secrets (which are very similar to k8s secrets).  That's why I preferred simply bootstrapping from the orchestrator's secrets store.  That, and as I described, wanting to have dynamic secrets.  (Vault already has the dynamic DB credentials, though I haven't yet deployed that.  But I'm planning to write an LDAP database plugin for Vault to do it for role accounts --- not just for ours, but for everyone who requests one going forward for various applications.)
 
Once we have something getting closer to production worthy I'm interested in sharing some of the yaml k8s assets with the community if there is interest. I could see having a Helm deployment of Grouper at some point.

It probably comes down to how opinionated the Chart is for me.  :) (I looked at a few Charts when last looking at k8s, and the couple I thought I wanted didn't give me much configurability.)

But _in principle_, I love the idea.  Especially if someone else is doing the work.

Greg
 


On Wed, Apr 25, 2018 at 4:26 PM Jack Stewart <> wrote:
Darren,

Right now I'm liking the S3 bucket idea.

But, while I know AWS EKS (Elastic Container Services for Kubernetes) is a while off, how do you think this would look in AWS?

Thanks, Jack



On Wed, Apr 25, 2018 at 3:44 PM, Darren Boss <> wrote:
If you are using Kubernetes then you can do this with secrets and config maps. Both secrets and config maps can be read from files which are then stored in etcd and can be mounted into the docker image as files so you don't have to bake them into the Docker images.

I've done this for Shibboleth IdP deployment and was planning to do this for Grouper as well but haven't got that far yet.


On Wed, Apr 25, 2018 at 1:03 PM Greg Haverkamp <> wrote:
On Wed, Apr 25, 2018 at 9:48 AM, Jack Stewart <> wrote:

I would like to start out by saying that the new role-based Grouper containers are great!  It was very easy to build the images.

Are you referring to the TIER image?
 
Now my question is, what are other schools doing with regard to their Grouper configurations?  Are you "burning them into" storing them in the containers themselves, or are you using secrets?

Converting an application like Grouper to use secrets would be a LOT of work.  Effectively, you would need to convert all of the settings to environment variables.  How would you deal with the sources.xml files which, by design, need to be customized?

We had just been wrestling with secrets-management, and I was mid-roll-out of Hashicorp Vault as a generalized solution.  So, in my current form, which I just deployed last week, I take the TIER image, use Docker Secrets to bootstrap the Vault credentials, and then use consul-template to present the secrets to Grouper.  I store all of the generated config files in a tmpfs volume, so they go away when the container is stopped.  I've got a few more tweaks, but I'm largely pleased with where it is now.

I decided to go the Vault route for a couple of reasons.  One was that I already had Vault running, though not actually doing much.  The other was that we have other plans for Vault and secrets management that Docker Secrets don't solve, in particular around dynamically generated secrets.  (Now that Vault can dynamically generate Google Service Account keys, I'm looking at modifying the google-apps-provisioner to deal with JSON files... That, or I'll write a consul-template plugin to write out a pkcs12 file.)  And finally, we didn't really want to be wedded to Swarm.  Swarm is conveniently for on-prem, but that's not where we see our future.

Greg

 

Many thanks,
Jack


--
Jack Stewart
Solutions Architect, Identity and Access Management
University of Michigan
--

Darren Boss

Senior Programmer/Analyst
Programmeur-analyste principal


(o) 416.228.1234 x
230
(c) 919.525.0083



--
Jack Stewart
Solutions Architect, Identity and Access Management
University of Michigan
--

Darren Boss

Senior Programmer/Analyst
Programmeur-analyste principal


(o) 416.228.1234 x
230
(c) 919.525.0083




Archive powered by MHonArc 2.6.19.

Top of Page