Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature]: AMS Support Database Secert On K8S #1945

Closed
2 tasks done
Tracked by #1847
czy006 opened this issue Sep 8, 2023 · 3 comments · Fixed by #1978
Closed
2 tasks done
Tracked by #1847

[Feature]: AMS Support Database Secert On K8S #1945

czy006 opened this issue Sep 8, 2023 · 3 comments · Fixed by #1978
Labels
type:feature Feature Requests

Comments

@czy006
Copy link
Contributor

czy006 commented Sep 8, 2023

Description

Currently, the database password is written to the configuration file in plain text, which may pose certain security risks. In the cloud-native environment, this configuration will be saved through K8S Secert, which will improve password security.

Use case/motivation

After discussing with pull request, we decided to separate and complete this part of the function, which will improve the security of database passwords

Describe the solution

The Secert mount function only supports running on K8S

  • Mount the Secert or get the password by reading the environment variable, and decode it through base64
  • The environment variable name is: DATABASE_PASSWORD
  • Read Priority: Environment Variables > Configuration Files
    • If the deployment environment is K8S, the variable will be read from the environment variable and the base64 deserialized password will be performed. The user only needs to set the password in the configuration file, and it will be automatically set to Env in Secert mode, which is read by the program, and there is no need to care about this part of the implementation.
    • If the deployment environment is a non-K8S environment, first read from the environment variable, if it is empty, then read directly from the configuration file, this part will not have any encryption behavior

Subtasks

No response

Related issues

None

Are you willing to submit a PR?

  • Yes I am willing to submit a PR!

Code of Conduct
@czy006 czy006 added the type:feature Feature Requests label Sep 8, 2023
@czy006 czy006 mentioned this issue Sep 8, 2023
Merged
3 tasks
@zhoujinsong
Copy link
Contributor

@czy006 Thanks a lot to bring this feature up!
Kubernetes secret is the standard method for storing the sensitive information. Based on it, the configuration security of AMS in K8S environment can be greatly improved.

The impelemntation look fine to me. I am looking forward to seeing your PR.

@baiyangtx
Copy link
Contributor

Thank you for proposing this feature. I think this feature is very important for production deployment and K8S cluster deployment. I am looking forward to seeing your PR.

@baiyangtx baiyangtx mentioned this issue Sep 12, 2023
Closed
2 tasks
@czy006
Copy link
Contributor Author

czy006 commented Sep 15, 2023

Secert On K8S Pwd Demo

@czy006 czy006 mentioned this issue Sep 15, 2023
Merged
3 tasks
@shidayang shidayang mentioned this issue Oct 17, 2023
Closed
70 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:feature Feature Requests
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[AMORO-1945]AMS Support Database Secret On K8S czy006/amoro
3 participants
@zhoujinsong @baiyangtx @czy006