Keywhiz Client Library and Mount Points

39 views
Skip to first unread message

Matthew Halder

unread,
Aug 18, 2016, 1:24:29 PM8/18/16
to keywhiz-users
1.  Is there a Keywhiz client library that could be added to a microservice base image?  That be pretty nice to offload some of the decoding so that runtime secrets could be accessed in a single step or through a client call
2.  Is it possible to mount different secret groups to different directory locations?  I'd like to be able to mount /secrets/${microservice-1} and /secrets/${microservice-2} and then mount that directory location to the container.  Is this something that would require mounting as different users and groups when starting keywhiz-fs (and thus need more than one keywhiz-fs service running)?  Is it possible to make a breakdown like this through Keywhiz groups?  It would be cool to separate access by microservice.

Matthew McPherrin

unread,
Aug 18, 2016, 2:54:31 PM8/18/16
to Matthew Halder, keywhiz-users

For (1), we basically only access secrets through keywhiz-fs. There is a Java client in the server repo, and a go client as part of keywhiz-fs you can use, but accessing secrets is pretty trivial so it should be easy to do that in whatever language you want.

For (2), this is basically how keywhiz-fs is intended to be used.

We run an instance of kwfs per deployed thing, here referred to as 'app' but roughly equivalent to a container.

The way we organize secrets in Keywhiz looks kinda like this:

Per app, per host Client:
$appname-$hostname

Assigned to groups:
$appname-$hostname
$appname-$datacenter
$appname

Then secrets are added to one of those groups as appropriate - most secrets are in the group called $appname if added by a person, or a lot of our automation issues per-host secrets to the $appname-$hostname group


On Aug 18, 2016 10:24 AM, "'Matthew Halder' via keywhiz-users" <keywhi...@googlegroups.com> wrote:
1.  Is there a Keywhiz client library that could be added to a microservice base image?  That be pretty nice to offload some of the decoding so that runtime secrets could be accessed in a single step or through a client call
2.  Is it possible to mount different secret groups to different directory locations?  I'd like to be able to mount /secrets/${microservice-1} and /secrets/${microservice-2} and then mount that directory location to the container.  Is this something that would require mounting as different users and groups when starting keywhiz-fs (and thus need more than one keywhiz-fs service running)?  Is it possible to make a breakdown like this through Keywhiz groups?  It would be cool to separate access by microservice.

--
You received this message because you are subscribed to the Google Groups "keywhiz-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keywhiz-users+unsubscribe@googlegroups.com.
To post to this group, send email to keywhi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keywhiz-users/182754c1-219b-4027-b578-4d6b41145f06%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages