Skip to content

Latest commit

 

History

History
78 lines (54 loc) · 2.53 KB

lab7b.md

File metadata and controls

78 lines (54 loc) · 2.53 KB

Lab 7b - Using secrets

Lab 7 looked at how the issue-bot could obtain the GitHub Personal Access Token from an environment variable (auth_token). An alternative approach is to use a secret to store sensitive information.

From the Docker documentation:

.. a secret is a blob of data, such as a password, SSH private key, SSL certificate, or another piece of data that should not be transmitted over a network or stored unencrypted in a Dockerfile or in your application’s source code.

This is a more secure alternative to environmental variables. Environmental variables are easier to use but are best suited to non-confidential configuration items. Seems a good fit for storing the auth_token value.

Create a secret

Use of underscores (_) in secret names should be avoided to make it easier to move between Docker Swarm and Kubernetes.

From a terminal run the following command:

$ echo -n <auth_token> | docker secret create auth-token -

Test that the secret was created:

$ docker secret inspect auth-token

When the secret is mounted by a function it will be presented as a file under /run/secrets/auth-token. This can be read by handler.py to obtain the GitHub Personal Access Token.

Update issue-bot.yml

Replace the reference to env.yml with an instruction to make the auth-token secret available to the function:

provider:
  name: faas
  gateway: http://127.0.0.1:8080

functions:
  issue-bot:
    lang: python3
    handler: ./issue-bot
    image: <your-username>/issue-bot
    environment:
      write_debug: true
      gateway_hostname: "gateway"
      positive_threshold: 0.25
    secrets:
      - auth-token

Update the issue-bot function

The function handler requires changing in order to cause it to read the auth-token secret, rather than the environment variable. This is a single line change where:

g = Github(os.getenv("auth_token"))

is replaced with

with open("/run/secrets/auth-token","r") as authToken:  
    g = Github(authToken.read())

The full source code is available at issue-bot-secrets/bot-handler/handler.py

  • Build and deploy

Use the CLI to build and deploy the function:

$ faas-cli build -f issue-bot.yml \
  && faas-cli push -f issue-bot.yml \
  && faas-cli deploy -f issue-bot.yml

Now move onto Lab 8.