On Tue, May 07, 2019 at 02:47:59PM -0000, Dmitry Perets via FreeIPA-users wrote:
Hi,
I have a use-case when an application needs to access the secret stored in IPA Vault. The
problem is that the application is containerized...
So what would be the best practice to authenticate to the Vault?
The logic says we should use REST API, but how to authenticate to the IPA, without having
to put user/password in a file inside the container...?
Enroll the container with IPA and use Kerberos...?
Or mount a keytab file from the enrolled parent host and install Kerberos package in the
container to use it...?
Does anyone have an experience with this?
In general, you will want to authenticate somehow, which means
proving identity. So the first question is -- what is the identity
here? The service that the container provides? Or the host on which
this container runs? If you scale the containers to run two in
parallel, say in Kubernetes, do you want each container to have its
own identity or act on behalf of a single one?
After you decide what the identities should be, you can then create
service principals for them in IPA and get credentials (keytabs),
and then the question is, how do you want distribute the credentials.
Depending on the layout of your container platform, you can put
them to the host filesystem and mount to the container, or you can
distribute them as secrets using (say) Kubernetes' secrets mechanism.
We've even had setup in which the bearers of the identities were the
actual hosts on which the containers were running, and we were able
to delegate the access from the containers to the hosts ... but even
then you need to deal with the initial question -- what is the
identity? How do you distinguish one container from another?
So overall, all the options that you mentioned are possible, it
all depends on your environment and needs.
--
Jan Pazdziora
Senior Principal Software Engineer, Security Engineering, Red Hat