Managing Secrets in Ankaios

[MatthiasEckhart]

Hi,
I'm new to Ankaios and was wondering if it includes a built-in solution for secrets management. I couldn't find any references to managing secrets in the documentation, so I'd like to know whether there are recommended best practices or built-in features for this.

[windsource]

There are various ways how to handle secrets with Ankaios:

Using environment variables

In a simple way a secret could be passed to a workload as an environment variable like:

apiVersion: v0.1
workloads:
  myapp:
    runtime: podman
    agent: agent_A
    runtimeConfig: |
      image: docker.io/busybox:latest
      commandOptions: ["-e", "PASSWORD=supersecret"]
      commandArgs: ["sh", "-c", "echo $PASSWORD"]

Separate secrets with configs

In order to separate secrets and workloads, configs could be used like:

apiVersion: v0.1
workloads:
  myapp:
    runtime: podman
    agent: agent_A
    configs:
      c: myapp
    runtimeConfig: |
      image: docker.io/busybox:latest
      commandOptions: ["-e", "PASSWORD={{c.password}}"]
      commandArgs: ["sh", "-c", "echo $PASSWORD"]
configs:
  myapp:
    password: supersecret

Using files

Besides using environment variables, also files could be used to pass secrets to applications. In that case the secret could also be stored base64 encoded in the manifest like:

apiVersion: v0.1
workloads:
  myapp:
    runtime: podman
    agent: agent_A
    configs:
      c: myapp
    files:
      - mountPoint: "/password"
        binaryData: "{{c.password}}"
    runtimeConfig: |
      image: docker.io/busybox:latest
      commandArgs: ["sh", "-c", "cat /password"]
configs:
  myapp:
    password: c3VwZXJzZWNyZXQK

Using runtime specific secret management

In addition runtime specific secret management could be used. For the podman runtime Podman secrets could be used and for the podman-kube runtime a Kubernetes secret could be used.

Mounting secrets as files from host

In order keep secrets outside from the manifest, also a file from the host could be mounted to a workload.

Using central secret store

One could also think of having a central secret store which could be directly accessed by the workload in order to receive secrets.

Summary

What method fits best depends on your use case. @MatthiasEckhart do you have a specific use case in mind?

[MatthiasEckhart]

Hi @windsource,

I think it would be helpful to include the security implications of each option so users are aware of potential risks. In particular, the first three options seem problematic from a security perspective.

Also, regarding the note:

In that case the secret could also be stored base64 encoded in the manifest like:

Could you clarify what the benefit of Base64 encoding is in this context?

[windsource]

@MatthiasEckhart, you are right that managing secrets securely can be quite challenging. And it depends on the specific setup and the related attack vectors. Ankaios is targeting an automotive HPC setup which usually already contains a security concept. For that reason Ankaios does not contain a separate handling of secrets. Base64 encoding is just an obfuscation like it is applied in Kubernetes Secrets but does not apply additional security.

[MatthiasEckhart]

Hi @windsource,
Thank you for the detailed explanation. As we know, managing secrets securely can be quite challenging. I'm currently writing a paper on containers in automotive security and was wondering whether Ankaios provides a dedicated, built-in secrets management solution for storing sensitive data encrypted both at rest and in transit.

I don't have a concrete use case yet, but I imagine the automotive domain introduces unique challenges for secret management in containerized architectures (e.g., OTA updates or authN with remote services). A guide or best practice write-up for these scenarios would be extremely valuable for the community.