Keeping api keys in secrets.
Opened this issue · 4 comments
Hello, first of all i wanted to thank you for making this plugin (Been needing this for a while haha).
I wanted to ask if there is a way to create the key list or just 1 key in a secret when using k8s for example.
Atm i saw it's in simple text which can compromise the application.
Ty very much for the contribution!
Hey @benshalev849
The Middleware CRD is written by Traefik, unfortunately when writing a plugin you have no control over it.
Looking through I saw this issue on Traefik a while ago which looks like it was merged but I can't find reference to it in the docs. Looks like it's what you're after?
apiVersion: v1
kind: Secret
metadata:
name: name
namespace: default
data:
key: dGhpc19pc190aGVfdmVyeV9kZWVwX3NlY3JldA==
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-secret
namespace: default
spec:
plugin:
test-secret:
secret_0:
secret_1:
secret_2:
user: admin
secret: urn:k8s:secret:name:key
Personally we use Helm with the Helm Secrets plugin to store the API keys encrypted with SOPS in the chart when deploying the middleware but if that functionality is in there I'd swap to using that and I'll update the readme with an example as it's much better than plain text.
Hello,
looks like the official enterprise plugin uses hashed keys to avoid having them in plain text.
However using something like bcrypt to systematically encrypt incoming key could significantly slow down the credentials check.
If you are interested I could take the time to implement this as a non breaking change.
@thpiron Feel free to raise a PR, thanks for letting me know it does make more sense to hash them, I just needed this functionality quickly.
I'd have time to implement this probably later this month, but if you have time sooner just raise a PR and we can merge it in 👍
@dtomlinson91 open a draft here: #4.
Code is functional, if it's good enough I'll add some unit tests before merging.