Container secret mounts » History » Version 10
Tom Clegg, 03/13/2018 01:34 PM
1 | 1 | Tom Clegg | h1. Container secret mounts |
---|---|---|---|
2 | |||
3 | 2 | Tom Clegg | This is a proposed modification to [[Containers API]]. |
4 | |||
5 | Add a "secret_mounts" serialized field to containers and container requests. |
||
6 | |||
7 | "secret_mounts" has the same form and behavior as "mounts", except: |
||
8 | * Only literal content is allowed (kind=text or kind=json) |
||
9 | * Current value is never returned in a container request or container API response |
||
10 | * Current value can be retrieved from a new API (@/arvados/v1/containers/$uuid/secret_mounts@) which must be authenticated by the container's own runtime token |
||
11 | 1 | Tom Clegg | * Never appears in container logs |
12 | * Never appears in the Arvados logs table |
||
13 | * Never appears in websocket updates |
||
14 | * Never appears in API server request logs |
||
15 | |||
16 | 6 | Tom Clegg | If a secret_mount target is below output_path in the filesystem, it is omitted from the output collection (but this is not an error). |
17 | 4 | Peter Amstutz | |
18 | 10 | Tom Clegg | It is an error to use the same mount target in a container request's @mounts@ and @secret_mounts@. |
19 | |||
20 | 3 | Peter Amstutz | For clarity, some ways in which secret_mounts behaves like mounts are: |
21 | 2 | Tom Clegg | * Non-identical secret_mounts disqualifies a container for reuse. The mere existence of secret_mounts does not disqualify. |
22 | * secret_mounts can be set via container_requests#create and container_requests#update APIs |
||
23 | * secret_mounts cannot be null, but can be an empty hash |
||
24 | * keys of secret_mounts are paths in the container's filesystem, and always begin with "/" |
||
25 | 5 | Peter Amstutz | |
26 | 7 | Tom Clegg | "secret_mounts" api response: |
27 | |||
28 | <pre><code class="json"> |
||
29 | { |
||
30 | "secret_mounts": { |
||
31 | 9 | Tom Clegg | "/secrets/foo": { |
32 | "kind": "text", |
||
33 | "content": "foobar\n" |
||
34 | } |
||
35 | 7 | Tom Clegg | }, |
36 | "_response_time_or_other_api_metadata": "..." |
||
37 | 1 | Tom Clegg | } |
38 | </code></pre> |
||
39 | 8 | Tom Clegg | |
40 | There is no support for secret environment variables or command line arguments. |
||
41 | |||
42 | Documentation note: Anyone who can modify a container request can access its secrets by changing the command, docker image, etc., and committing it. So be careful. |