Ruby China
Access denied, Please sign in and make sure you have proper permission.

Rails 容器化对 Encrypted Credentials 的安全构建及部署配置的最佳实践

icyleaf · October 20, 2022 · Last by amonlei replied at November 07, 2022 · 515 hits

Rails 构建镜像安全处理加密凭证 https://icyleaf.com/2022/09/rails-build-docker-image-handle-encrypted-credentials-securely/

Rails 产品环境配置加密凭证的完美方案 https://icyleaf.com/2022/09/perfect-solution-to-steup-rails-encrypted-credentials/

抛砖引玉,希望听听大家的解决方案。

3 likes
fatcat #0 October 21, 2022

博客不错,关注了❤

2 likes
xiaoronglv #1 October 24, 2022

  1. 我倾向于把 secret 放到 kubernetes secret

  2. 然后运行 pod 时,把各种 secret 通过环境变量(envFrom)注入到 pod 中。

apiVersion: v1
kind: Pod
metadata:
  name: secret-test-pod
spec:
  containers:
    - name: test-container
      image: registry.k8s.io/busybox
      command: [ "/bin/sh", "-c", "env" ]
      envFrom:
      - secretRef:
          name: mysecret
  restartPolicy: Never

https://kubernetes.io/docs/concepts/configuration/secret/#use-cases

icyleaf #2 October 24, 2022
Reply to xiaoronglv

核心数据提取出来之后,那就是采用不同方案的应用。k8s 放到 secret 只是在套一层壳而已。

southwolf #3 November 06, 2022

对 核心思想就是代码/部署文件跟密钥分离,通过外部参数注入进镜像。我们通常的做法是密钥扔 Vault 之类的中心化管理工具,部署/启动服务的时候去拉

amonlei #4 November 07, 2022

第二种直接 docker ps 看

amonlei #5 November 07, 2022

就是 docker file 中拷贝 masker.key 目前来说最安全

You need to Sign in before reply, if you don't have an account, please Sign up first.