agent>> secrets-bridge>> 返回
项目作者: abourget

项目描述 :
Secrets bridge - Secure build-time secrets injection for Docker
高级语言: Go
项目地址: git://github.com/abourget/secrets-bridge.git
创建时间: 2017-01-30T04:30:53Z
项目社区:https://github.com/abourget/secrets-bridge
开源协议:MIT License
下载


Secrets bridge - Secure build-time secrets injection for Docker

Docker does not support build-time secrets, and this is a pain for any
npm install, gem installs, or whatever private repositories or
authenticated endpoints you need to contact during docker build
runs.

Also, you never want to have your credentials snapshotted in your
Docker image.

  • It serves secrets defined on the host, either on the command-line or
    loaded from files.
  • It acts as an SSH-Agent proxy, but secured through TLS, with
    temporary and auto-generated keypairs.

Basic usage

Serves the SSH Agent securely over the bridge. Prints the bridge config to stdout, so you can bring it to the other node by copy & pasting:

  1. secrets-bridge serve -A

Execute yarn (or npm install or whatever) and leverage the SSH Agent from the remote host automatically:

  1. secrets-bridge exec -c [pasted-base64-configuration-from-host-a] yarn

Serve only the secret key, no SSH Agent forwarding:

  1. secrets-bridge serve --secret key=value

Serve key1 taking its value from filename1 and serve filename2 as key filename2:

  1. secrets-bridge serve --secret-from-file key1=filename1 --secret-from-file filename2

Prints out secret key. This will use the default bridge configuration file at ~/.bridge-conf (unless you specify an explicit config as b64 with -c):

  1. secrets-bridge print key

Execute my-command.sh with the env var THE_VALUE set to the value of the secret key:

  1. secrets-bridge exec -e THE_VALUE=key -- my-command.sh

This one prints the secret but encodes it to base64 first (see below for other variations):

  1. secrets-bridge print b64:key

You can also serve a secret that is already base64 encoded, as plain-text:

  1. secrets-bridge serve -w --secret b64:key=aGVsbG8td29ybGQK
  2. ...
  3. secrets-bridge print key
  4. hello-world

Daemonization

You can start serve as a daemon with:

  1. secrets-bridge serve -d daemon.log -A -w -f bridge-conf

This will daemonize and log outputs to daemon.log (with -d), it
will enable SSH-Agent forwarding (-A), write (-w) the bridge
config to bridge-conf (with -f).

You can then kill that instance with:

  1. secrets-bridge kill -c $(cat bridge-conf)

Et hop!

Usage with Docker

The secrets bridge allows you to run a tiny server on your host as such:

  1. secrets-bridge serve -d daemon.log
  2.                      -f ./bridge-conf -w \
  3.                      --ssh-agent-forwarder \
  4.                      --secret key=value \
  5.                      --secret-from-file key2=filename \
  6.                      --timeout=300

and then, with a Dockerfile similar to this:

  1. RUN wget https://github.com/.../releases/.../secrets-bridge
  2. ARG BRIDGE_CONF
  3. RUN secrets-bridge -c ${BRIDGE_CONF} test
  4. RUN secrets-bridge -c ${BRIDGE_CONF} exec -- npm install
  5. RUN secrets-bridge -c ${BRIDGE_CONF} exec -e SECRET=key -- ./do_sensitive_things.sh

run docker build:

  1. docker build --build-args BRIDGE_CONF=`cat bridge-conf` -t image/tag123 .

and, on the host, finish with:

  1. secrets-bridge kill -c `cat bridge-conf`

to terminate the server.

Manual usage

With a bridge configuration (in base64), you can also:

  1. secrets-bridge serve -w -A

copy your ~/.bridge-conf to the other location’s ~/.bridge-conf and then run:

  1. secrets-bridge exec ssh gcloud

over there.

Base64 encoding

On-the-fly base64 encoding and decoding of secrets.

Prefix secrets with:

  • b64: for standard base64-
  • b64u: for URL-safe base64 codec.
  • rb64: for padding-less standard base64 codec.
  • rb64u: for padding-less URL-safe base64 codec.

Secrets are binary-safe and support multi-line files.

SSH-Agent forwarding

The client sets the SSH_AUTH_SOCK environment variable when
calling the sub-processes, and transparently passes that through the
bridge, so the SSH-Agent on the host machine can serve the signing
requests.

The bridge-conf file

The bridge-conf file contains a gzipped, base64-encoded version of:

  1. {"endpoints": ["https://127.0.0.1:12345", "https://192.168.0.6:12345", "https://172.17.0.1:12345", "https://192.168.99.1:12345"],
  2.  "cacert": "------ BEGIN CERTIFICATE -----\n...",
  3.  "client_cert": "----- BEGIN CERTIFICATE -----\n...",
  4.  "client_key": "----- BEGIN RSA PRIVATE KEY -----\n..."}

It allows the secrets-bridge inside the build-time container,
to communicate with the host, authenticate with the secrets server
and obtain credentials that were passed on the command line.

All of the information in this file is temporary and will vanish once
the server terminates. A self-signed CA and client cert/key pair is
generated on each serve runs.

You can elect to RE-USE a CA and set of keys in a subsequent run with
--ca-key-store. NOTE THAT this lessens the security, as it makes the
keys less “throw-away”, making them more appealing to steal.

Installation - from GitHub Releases

Grab a file here and chmod +x it if on Linux/Darwin:

https://github.com/abourget/secrets-bridge/releases

Installation - from source

Download and install https://golang.org/dl. Install with:

  1. go get github.com/abourget/secrets-bridge

This will build the secrets-bridge binary. You will need a Linux
amd64 version for inside the containers.

Alternatives

See https://github.com/defunctzombie/docket for another approach (hacking through the image layers to make private files available at build time, but not keep them in).