Skip to content

Use container secrets securely #2271

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Use container secrets securely #2271

wants to merge 1 commit into from

Conversation

itoffshore
Copy link

@itoffshore itoffshore commented May 15, 2025
edited
Loading

  • adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file location can be changed / set on every run
  • adds set_password_files() to entrypoint.sh so /home/step/secrets/password becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE (for backwards compatibility) & also DOCKER_STEPCA_PASSWORD_FILE so secret file permissions are retained
  • adds podman example quadlet / run command with a secret generated by openssl using an 8192 character hex string
  • small update to README.md for new podman examples / docker examples

Fixes #2270

Name of feature: More secure container secrets / add podman examples

Pain or issue this feature alleviates: improves container secret file permissions

Why is this important to the project (if not answered above): you can never have too much security ;o)

Is there documentation on how to use this feature? If so, where? podman examples included - I've been using these for a few weeks now

In what environments or workflows is this feature supported? containers

In what environments or workflows is this feature explicitly NOT supported (if any)? standalone binaries

Supporting links/other PRs/issues: #2270

💔Thank you!

@github-actions github-actions bot added the needs triage Waiting for discussion / prioritization by team label May 15, 2025
@itoffshore itoffshore force-pushed the secrets branch 3 times, most recently from 88689aa to 2f8e30d Compare May 21, 2025 00:33
@itoffshore
Copy link
Author

itoffshore commented May 21, 2025
edited
Loading

did a bit more testing:

  • 378,000 character base64 string from openssl doesn't work (I don't think the input expects so many newlines)
  • successfully tested & changed the examples to 8192 character hex string from openssl

@itoffshore itoffshore force-pushed the secrets branch 2 times, most recently from 71ef567 to dd11516 Compare May 22, 2025 01:21
@itoffshore itoffshore marked this pull request as draft May 22, 2025 18:46
@itoffshore itoffshore force-pushed the secrets branch 11 times, most recently from 307f599 to a5eaa57 Compare May 24, 2025 17:14
@itoffshore itoffshore marked this pull request as ready for review May 24, 2025 17:16
@itoffshore itoffshore marked this pull request as draft May 24, 2025 17:26
@itoffshore itoffshore marked this pull request as ready for review May 25, 2025 10:43
@itoffshore itoffshore marked this pull request as draft May 25, 2025 12:14
@itoffshore itoffshore marked this pull request as ready for review May 25, 2025 12:59
@hslatman hslatman requested a review from jdoss May 27, 2025 17:04
jdoss
jdoss requested changes May 28, 2025
View reviewed changes
Copy link
Contributor

@jdoss jdoss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you so much for this PR @itoffshore. You get bonus points for including Podman examples. 👏🏼👏🏼 I use Podman with Quadlets for all of my homelab container deployments, including step ca.

I have left a detailed review. If you can make the requested changes that would be great, and we can get this merged.

@itoffshore itoffshore requested a review from jdoss May 29, 2025 20:16
@itoffshore
Copy link
Author

itoffshore commented May 29, 2025
edited
Loading

Thank you so much for this PR @itoffshore. You get bonus points for including Podman examples. 👏🏼👏🏼 I use Podman with Quadlets for all of my homelab container deployments, including step ca.

I can fix it here && here

I have left a detailed review. If you can make the requested changes that would be great, and we can get this merged.

all the changes should be there

Quadlets are great - on to pods next

if you love podman check out MicroOS as a container host - I switched to it on my stuff about a year ago. Rolling release with self correcting upgrades (btrfs snapshots)

Making customised iso images with "kiwi" is great. RKE2 can be run on it very easily.

  • Possibly the issue with the Alpine image when not run with --privileged:

alpine-stepca

  • perhaps put the image binaries under /usr/bin (where Alpine expects them to be). In Alpine ordinary users are quite locked down (no ping), something doesn't like /usr/local/bin executing by the step user early in startup.

  • I can do a small fix here && here

@itoffshore itoffshore force-pushed the secrets branch 2 times, most recently from 76f593c to 2bce8ba Compare May 29, 2025 21:12
@itoffshore
Use container secrets securely
4b6d1c6 
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jdoss jdoss Awaiting requested review from jdoss

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Use container secrets securely
2 participants
@itoffshore @jdoss