Proposal: [CNG] Implement runtime pattern for exporting ENV from file(s)
Summary
Implement an agnostic method within the CNG to read secrets into the environment of spawned processes. This would function similar to vault-cli env
, but be read from a dedicated location in the filesystem. The method should be easy to understand, easy to implement, and simple to configure while remaining as conscientious as possible of security concerns.
For consideration: a script translates find /etc/gitlab/environment/ -type f
into export $1="$2"
Requirements to use:
- a Secret exists
- an
extraVolume
definition consuming the secret - an
extraVolumeMount
definition placing that volume/subPath to/etc/gitlab/environment/
Two approaches:
-
extraEnv
definition(s) withVARIABLE_FILE
where the content is the relative path to the entry under/etc/gitlab/environment
- Script exports all files under
/etc/gitlab/environment/
to the environment, asexport FILENAME=$(cat FILENAME)
Current behavior
Kustomize or other post-render is required in order to make use of environment variables containing Secret information. This is not as secure as it looks.
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
Expected behavior
Users have the ability to get environment variables from secrets to the process spawned within the container, without exposing this any further than required.
Detailed exploration
- Spin up KinD cluster
- Create a generic Secret with a key and value
- Deploy a pod using that secret (docs)
- See that all processes in the Pod have access to these secrets easily.
kubectl exec POD_NAME -- bash -c 'env | grep PASSWORD'
- Connect to KinD controller (
docker exec <container ID for master>
) crictl ls | grep CONTAINER_NAME
-
crictl inspect CONTAINER_NAME
and see that this ENV is not protected in any way.