Container secret mounts » History » Version 8

Tom Clegg, 03/01/2018 07:28 PM

1 1 Tom Clegg
h1. Container secret mounts
2 1 Tom Clegg
3 2 Tom Clegg
This is a proposed modification to [[Containers API]].
4 2 Tom Clegg
5 2 Tom Clegg
Add a "secret_mounts" serialized field to containers and container requests.
6 2 Tom Clegg
7 2 Tom Clegg
"secret_mounts" has the same form and behavior as "mounts", except:
8 2 Tom Clegg
* Only literal content is allowed (kind=text or kind=json)
9 2 Tom Clegg
* Current value is never returned in a container request or container API response
10 2 Tom Clegg
* Current value can be retrieved from a new API (@/arvados/v1/containers/$uuid/secret_mounts@) which must be authenticated by the container's own runtime token
11 1 Tom Clegg
* Never appears in container logs
12 1 Tom Clegg
* Never appears in the Arvados logs table
13 1 Tom Clegg
* Never appears in websocket updates
14 1 Tom Clegg
* Never appears in API server request logs
15 1 Tom Clegg
16 6 Tom Clegg
If a secret_mount target is below output_path in the filesystem, it is omitted from the output collection (but this is not an error).
17 4 Peter Amstutz
18 3 Peter Amstutz
For clarity, some ways in which secret_mounts behaves like mounts are:
19 2 Tom Clegg
* Non-identical secret_mounts disqualifies a container for reuse. The mere existence of secret_mounts does not disqualify.
20 2 Tom Clegg
* secret_mounts can be set via container_requests#create and container_requests#update APIs
21 2 Tom Clegg
* secret_mounts cannot be null, but can be an empty hash
22 2 Tom Clegg
* keys of secret_mounts are paths in the container's filesystem, and always begin with "/"
23 5 Peter Amstutz
24 7 Tom Clegg
"secret_mounts" api response:
25 7 Tom Clegg
26 7 Tom Clegg
<pre><code class="json">
27 7 Tom Clegg
{
28 7 Tom Clegg
  "secret_mounts": {
29 7 Tom Clegg
    "foo": "bar"
30 7 Tom Clegg
  },
31 7 Tom Clegg
  "_response_time_or_other_api_metadata": "..."
32 1 Tom Clegg
}
33 1 Tom Clegg
</code></pre>
34 8 Tom Clegg
35 8 Tom Clegg
There is no support for secret environment variables or command line arguments.
36 8 Tom Clegg
37 8 Tom Clegg
Documentation note: Anyone who can modify a container request can access its secrets by changing the command, docker image, etc., and committing it. So be careful.