If your CAS server is deployed and running as a Docker container, you may want to manage and store certain sensitive configuration settings as Docker secrets.Such secrets are a blob of data, such as a password, private keys, or another piece of data that should not be transmitted over a network or stored unencrypted in a Dockerfile or in CAS configuration sources in plaintext.
In this post, we will take a look at options provided by CAS that allow one to pull settings from Docker secrets. Our starting position is based on:
7.2.x
21
In terms of Docker Swarm services, a secret is a blob of sensitive data that should not be transmitted over a network or stored unencrypted in a Dockerfile or put in CAS configuration sources in plain text. You can use Docker secrets to centrally manage this data and securely transmit it to only CAS containers that need access to it. Secrets are encrypted during transit and at rest in a Docker swarm. A given secret is only accessible to those CAS services which have been granted explicit access to it, and only while those CAS service tasks are running.
The CAS integration with Docker secrets works by scanning configuration properties that are found by default at /run/secrets
. The properties are then loaded into CAS and made available to the application context and its environment. This default configuration directory
can be configured via the system property (or environment variable) CAS_DOCKER_SECRETS_DIRECTORY
.
Note that the filenames of the secrets must match the property names that CAS expects. For example,
your secret might be named /run/secrets/cas.some.fancy.setting
with a sensitive value. At runtime, CAS
will attempt to locate and read the secret from the file and apply it to the setting cas.some.fancy.setting
.
To activate this configuration mode, you will need to make sure CONTAINER
is set to true
either as an environment
variable or a system property when the container launches. This setting is used to determine whether CAS is running inside a container
and will activate the Docker-relevant configuration source.
If you have questions about the contents and the topic of this blog post, or if you need additional guidance and support, feel free to send us a note and ask about consulting and support services.
I hope this review was of some help to you and I am sure that both this post as well as the functionality it attempts to explain can be improved in any number of ways. Please feel free to engage and contribute as best as you can.
Monday-Friday
9am-6pm, Central European Time
7am-1pm, U.S. Eastern Time
Monday-Friday
9am-6pm, Central European Time