Credential management using Secret in nginx_3scale

2024-06-29 00:57:45 +02:00 · 2017-05-24 15:05:34 +02:00 · 2017-05-24 15:05:34 +02:00 · af966f56df
commit af966f56df
parent cf10d3199e
2 changed files with 10 additions and 31 deletions
--- a/k8s/nginx-3scale/nginx-3scale-dep.yaml
+++ b/k8s/nginx-3scale/nginx-3scale-dep.yaml
@ -19,8 +19,7 @@ spec:
      terminationGracePeriodSeconds: 10
      containers:
      - name: nginx-3scale
-        image: bigchaindb/nginx_3scale:1.1
-        # TODO(Krish): Change later to IfNotPresent
+        image: bigchaindb/nginx_3scale:1.4
        imagePullPolicy: Always
        env:
        - name: MONGODB_FRONTEND_PORT
@ -33,7 +32,6 @@ spec:
        - name: BIGCHAINDB_FRONTEND_PORT
          value: $(NGX_INSTANCE_0_SERVICE_PORT_NGX_PUBLIC_BDB_PORT)
        - name: BIGCHAINDB_BACKEND_HOST
-          # NGINX requires FQDN to resolve names
          value: bdb-instance-0.default.svc.cluster.local
        - name: BIGCHAINDB_BACKEND_PORT
          value: "9984"
@ -46,19 +44,6 @@ spec:
          value: "10.0.0.10"
        - name: NGINX_HEALTH_CHECK_PORT
          value: "8888"
-        # TODO(Krish): use secrets for sensitive info
-        - name: THREESCALE_SECRET_TOKEN
-          value: "<Secret Token Here>"
-        - name: THREESCALE_SERVICE_ID
-          value: "<Service ID Here>"
-        - name: THREESCALE_VERSION_HEADER
-          value: "<Version Header Here>"
-        - name: THREESCALE_PROVIDER_KEY
-          value: "<Provider Key Here>"
-        - name: THREESCALE_FRONTEND_API_DNS_NAME
-          value: "<Frontend API FQDN Here>"
-        - name: THREESCALE_UPSTREAM_API_PORT
-          value: "<Upstream API Port Here>"
        ports:
        - containerPort: 27017
          hostPort: 27017
@ -81,7 +66,10 @@ spec:
          name: public-api-port
          protocol: TCP
        volumeMounts:
-        - name: https
+        - name: threescale-credentials
+          mountPath: /usr/local/openresty/nginx/conf/threescale
+          readOnly: true
+        - name: https-certs
          mountPath: /usr/local/openresty/nginx/conf/ssl/
          readOnly: true
        resources:
@ -98,5 +86,9 @@ spec:
      volumes:
      - name: https
        secret:
-          secretName: certs
+          secretName: https-certs
+          defaultMode: 0400
+      - name: threescale-credentials
+        secret:
+          secretName: threescale-credentials
          defaultMode: 0400
--- a/k8s/nginx-3scale/nginx-3scale-secret.yaml
+++ b/k8s/nginx-3scale/nginx-3scale-secret.yaml
@ -1,13 +0,0 @@
-# Certificate data should be base64 encoded before embedding them here by using
-# `cat cert.pem | base64 -w 0 > cert.pem.b64` and then copy the resulting
-# value here. Same goes for cert.key.
-# Ref: https://kubernetes.io/docs/concepts/configuration/secret/
-
-apiVersion: v1
-kind: Secret
-metadata:
-  name: certs
-type: Opaque
-data:
-  cert.pem: <certificate data here>
-  cert.key: <key data here>