I'm migrating a nodeJS project from GCP to DigitalOcean.
I'm running this nodeJS code on a kubernetes cluster in DigitalOcean. I'm using GitHub Actions to automatically build a docker image and deploy it to my kubernetes cluster. Everything works as expected, but I have a question.
On GCP, I used the secret manager to inject secrets (database credentials, API keys, ...) into my NodeJS project. I am looking for a similar solution on DigitalOcean. I have found SecretHub, it looks interesting but I'm unable to sign up.
I have found this from 1password connect, but it looks like I have to setup a server?
Does anyone know some interesting tool or trick to secure inject secrets into my nodejs code?
Yes, you can check out the Hashi corp vault which is mainly used with Kubernetes as a secret solution to inject the configuration and variables to the deployment of Kubernetes.
It's easy to set up and integrate with Kubernetes.
Hashi corp vault : https://www.hashicorp.com/products/vault
Enterprise version is paid one however you can open-source version which will solve your all needs with UI and login panel, you can use it for Production purpose it's safe, secure, and easy to integrate.
You can run one simple POD(deployment) on the Kubernetes server.
here you can follow the demo with minikube setup: https://learn.hashicorp.com/tutorials/vault/kubernetes-minikube?in=vault/kubernetes
Related
Is it possible to host/deploy HashiCorp Vault on MS Azure App Services so that I can create, read, update and delete Vault secrets from my apps deployed on Azure App Services?
I can't find any documentation. I only know that I can host it on Windows virtual machine on-prem.
That's seems doable. I could think of a few options (#1 is specifically for AppServices as you have asked)
HashiCorpVault -> Docker -> App Service: I'm assuming you are familiar with Docker which is required for this step. You can create a container locally and deploy on AppService.
To do this, create a docker file and as a part of the build use brew to download Vault.
You will need to create your dockerfile in multi-steps to have Node and brew installed first.
Once that's done, the next step in build process is to get HashiCorp vault via brew https://www.vaultproject.io/downloads.
Alternatively, you could download the packages on your machine using brew, and then package your container.
You can run your container locally, make any configuration changes you prefer and create image once you are ready.
Once you have your image on your preferred repository, you could follow the Microsoft guide to deploy: https://learn.microsoft.com/en-us/learn/modules/deploy-run-container-app-service/
HashiCorp Integration with Azure: It can be integrated with Azure https://www.hashicorp.com/integrations/microsoft and ready to be used at scale.
I think a better option would be to run Vault in an Azure Container Instance. You can find the official vault container here: https://github.com/hashicorp/docker-vault
The App Service platform execution environment differs from a local execution environment mainly due to multi-tenancy — because a single physical machine in the data center can be concurrently executing apps and services belonging to a large number of differing customers, resources are more constrained than in the case of an app running on a single machine. The sandbox mechanism mitigates the risk of service disruption due to resource contention and depletion in two ways: it (1) ensures that each app receives a minimum guarantee of resources and quality-of-service, and conversely (2) enforces limits so that an app can not disrupt other concurrently-executing apps on the same machine.
More Details on Azure App Service Sandbox: https://github.com/projectkudu/kudu/wiki/Azure-Web-App-sandbox
I have an application written in Node.js that I am deploying to the IBM Cloud infrastructure. Everything works great as long as I have the environment variables for the app embedded in my manifest.yml file. This isn't ideal since it keeps these secure values within my GitHub repository.
I use a .env file for my local testing and placing that in my .gitignore is great to ensure that it doesn't roll out to the Git repo, but having to place the values into my manifest really defeats the purpose.
Is there a way to ensure that my environment variables are kept between CI runs that I store on my IBM Cloud apps without resorting to storing them in the manifest?
If you are using Cloud Foundry, then I would recommend to take a look at how Cloud Foundry integrates with services. It allows to bind a service to an app, thereby making the credentials available. If you already have some services, like another database, you can utilize the concept of user-provided service. There is no need to set variables, it is managed by Cloud Foundry.
Those concepts integrate well with the Continuous Delivery service on IBM Cloud.
where you run continuous integration? if you run on IBM Cloud Continuous Delivery you can set Environment Variable and provide access to your job to access it.
you can see the documentation in here.
I have a Node JS app that I have running on Google Cloud Platform using the Google Shell, using git clone etc. I can preview the endpoint, but only I can access it. How would I make this public?
I tried "gcloud app deploy" but it seems this needs billing access, even though I'm using the trial. Or is that correct? I'm part of an organisation so not the user that's signed up for the trial, so would that mean getting the person who did to enable my account?
Nick.
There are many options in Google Cloud Platform to deploy your Node.js application and expose the endpoint to the public internet: App Engine, Compute Engine, Kubernetes Engine.
As I can understand you are using Cloud Shell to download the code from a Git repository and to test your application in there. Web Preview will prompt you to the Google log in page, so it is not an option if you want the endpoint be accessible to others publicly.
The command you are using (gcloud app deploy) is for App Engine. I think you are in the right direction here, since App Engine will serve as the container of your application and will let you deploy your service to the public internet without any additional configuration. At this point I would recommend you to follow the step by step guide in [1].
About the role required to enable the App Engine API, you will need a project owner or project editor role.
Cheers.
In our project we have two web apps which both access a key vault. One web app is node js and the other .NET Core. For both web apps we have set up Managed Service Identity and given the according service principals access to the key vault.
When we deploy the web apps to Azure, access to key vault is working as expected. We use the approaches described here.
When it comes to .NET Core also the local development scenario is working well, because AzureServiceTokenProvider in connection with Azure CLI 2.0 is taking care of fetching the token.
However, I am not exactly sure how to fetch a token for key vault in node js in the local development scenario. We have come up with the following potential solutions:
Call Azure CLI from node js to fetch a secret. This would work, but requires quite a bit of plumbing.
Create a dedicated service principal that is used locally in node js. This is what we are doing right now. However, that way the node js web app and .NET Core web app use different approaches of getting a token which is not very consistent.
Are there any options we are missing? Additional ideas would be greatly appreciated.
I have a created a sample web role application using cloud service. Before hosting my application in cloud, i want to test the application in Dev Fabric. I am sure that when we run the application from VS, it creates an environment that simulates the cloud.
But, if I want to give my application for testing to QA, do I still need to give my source to them and run the application from VS under Dev Fabric or is there any other ways in running my deployed package under Dev Fabric.
In a line, my question is: How do i run my packaged Azure application under Dev Fabric before hosting in Cloud?
Can anyone having an idea, please share me some information?
Thanks for your quick response. CSRun command helped in accoomplishing my requirement. But i can see that it is taking an IP Address, http://127.0.0.1:80/ by default.
Also i am trying to find it out that, is there a way we can change this to a proper name instead of using like an IP?
for ex: http://localhost/ or
with deployed machine name like http://applicationserver/webrole1/ - so that we can access this from any machine in the netwrok.
I went through the Dev Fabric UI, where we can see the curent instances running, but i didnt find any options for these.
Please share me some information on this.
When you run your application locally, a different kind of package gets created (actually a directory) with a .csx extension.
As long as you have that .csx directory and your configuration file (.cscfg), you can run the package by using the "csrun" command. (So no, you don't need Visual Studio.)
You can use this blog post to access azure services running in DevFabric (DF) from other boxes -
http://blog.ehuna.org/2009/10/an_easier_way_to_access_the_wi.html