Page MenuHomePhabricator
Create Task
Maniphest T335979

Decision request - Toolforge envvars/secrets service
Closed, ResolvedPublic
Actions

Description

Problem

Currently users have to store the secrets in the NFS home directory, making it easy to leak (just forget to chmod) and hard to track. This also binds our users to NFS (instead of being agnostic from the implementation).

We want a way for users to create the secrets and not have to care where are they stored, if they set the right permissions and abstracted enough for us to be able to change the implementation with minimal impact on the users.

Original task: T334578: [toolforge] Create a secrets management offering to avoid storing on NFS

Constraints and risks

  • If it's too complicated users might have a hard time using it
  • If we leak implementation details, we might lose the ability to change the implementation

Decision record

https://wikitech.wikimedia.org/wiki/Wikimedia_Cloud_Services_team/EnhancementProposals/Decision_record_T335979_Decision_request_-_Toolforge_envvars/secrets_service

Options

Option 1

Have a secrets cli (and API) that allows setting secrets as environment variables and files mounted in the filesystem the app runs on (similar to what k8s secrets offers).

Pros:

  • Things like certificates are easier to think about (file vs reading it from an env var)

Cons:

  • A bit more complex to implement (two features)
  • Risk of having users uploading non-secret files as secrets (ex. settings.py)
  • No explicit envvars offering (a bit out of scope, but a nice plus)
  • If users get used to using secrets for envvars, might difficult implementing envvars in a different way in the future (as users will have to explicitly

Option 2

Have an envvar cli (and API) that allows setting environment variables for the app environment, that would be a superset as env vars would be secrets and not secrets (no specific cli for secrets).

Pros:

  • Promotes having only secret things as env vars have size limits
  • Simpler implementation

Cons:

  • A bit confusing if it is secret or not
  • Makes managing things like certificates a bit harder (as there's no file support)
  • If users get used to using envvar for secrets, might difficult implementing secrets in a different way (as users will have to explicitly migrate)

Option 3

Have a secrets cli and an envvar cli that allow setting environment variables for the app envirnoment, for starters one being just an alias of the other.

Pros:

  • Promotes having only secret things as env vars have size limits
  • Simpler implementation
  • Though they are the same, it makes clear that secrets are supported, and envvars are supported, without mixing them (from the user's point of view)
  • Easy to evolve each offering, allowing splitting the implementation with little user work

Cons:

  • Makes managing things like certificates a bit harder (as there's no file support)

Option 4

Please add anything else you deem relevant!

Related Objects
Search...

Event Timeline

dcaro created this task.May 4 2023, 4:22 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 4 2023, 4:22 PM
dcaro mentioned this in T334578: [toolforge] Create a secrets management offering to avoid storing on NFS.May 4 2023, 4:29 PM
dcaro updated the task description. (Show Details)
fnegri subscribed.May 10 2023, 2:57 PM
Slst2020 subscribed.May 10 2023, 4:09 PM

In my opinion, treating secrets and other environment variables collectively as "configuration" can offer a more streamlined user experience, similar to the "Config Vars" in Heroku. As for certificates, I wouldn't expect them to be managed through the same interface. For these reasons, I prefer option 2.

I think mixing secrets and non-secret environment variables should be fine as long as we provide clear documentation and guidelines on best practices for managing secrets within this unified interface.

fnegri added a comment.May 11 2023, 10:13 AM

I also like option 2 as it's the simplest one. I feel like the distinction between "secrets" and "variables" can be artificial.

I think what most tool users will need is a way to store generic strings in a way that they can be accessed by the tool, but without publishing them to a public Git repository. I don't think there's a huge difference between calling these strings "env variables" or "secrets", as long as we make it clear in the documentation who can access those (I imagine they will be accessible to all maintainers of that tool, and to toolforge roots) and who cannot (they will not be public and they will not be readable by other tools).

Two common scenarios that I think we should list in the documentation are storing passwords, API keys, etc. and config options. I would personally argue that config options should be stored in Git as there's no need to hide them, but 12-factor app is a popular paradigm that some tool maintainer might want to follow and that's ok.

Slst2020 added a comment.May 11 2023, 11:57 AM
In T335979#8844095, @fnegri wrote:

I would personally argue that config options should be stored in Git as there's no need to hide them, but 12-factor app is a popular paradigm that some tool maintainer might want to follow and that's ok.

This opens the door for secrets to be accidentally committed to git though. If the expectation is "no config in env files", then that's less likely to happen.

dcaro added a comment.May 12 2023, 3:16 PM

Renamed the WIP implementation, as comments seem to converge on the envvars naming: https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-envvars-api/-/merge_requests/2

dcaro renamed this task from Decision request - Toolforge secrets service to Decision request - Toolforge envvars/secrets service.May 22 2023, 7:54 AM
dcaro added a comment.May 22 2023, 7:58 AM

as long as we provide clear documentation and guidelines on best practices for managing secrets within this unified interface.

I'm not a big fan of having to provide documentation (or read documentation) to use a tool (emphasis on "having").

In any case, it seems that option 2 is the agreed way to go. I'll leave the task open until thursday to finalize it as a decision, if someone has a different idea/proposal, write it here before then and I'll setup a meeting next week.

Thanks!

dcaro moved this task from Inbox to Discussion on the Cloud Services Proposals board.May 22 2023, 7:59 AM
dcaro closed this task as Resolved.EditedMay 26 2023, 7:48 AM
dcaro updated the task description. (Show Details)

Decided for option 2 (see decision record), thanks to everyone involved!

dcaro moved this task from Discussion to Implementation on the Cloud Services Proposals board.May 26 2023, 7:53 AM
dcaro mentioned this in T337538: [toolforge] Create envvars management offering.May 26 2023, 8:48 AM
dcaro added a subtask: T337538: [toolforge] Create envvars management offering.
dcaro changed the status of subtask T337538: [toolforge] Create envvars management offering from Open to In Progress.Jun 2 2023, 7:34 AM
dcaro closed subtask T337538: [toolforge] Create envvars management offering as Resolved.Jun 20 2023, 12:13 PM
Novem_Linguae subscribed.Sun, Mar 31, 11:55 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL