Appliance Secret Management

Note

This user guide applies for appliances running v0.39.0 or newer.

The secret management architecture for Anapaya appliances is designed to safeguard sensitive information by preventing unauthorized access and disclosure.

Plain-text secrets are provisioned with a unique secret identifier. The secret identifier is used to securely reference the secret within the appliance configuration. The API is designed so that secrets stored on the appliance cannot be revealed either intentionally or accidentally. As a result, configuration and observability data can be exchanged without the risk of exposure.

Secret Identifier

Secrets are referenced in the configuration via a secret identifier:

  • scheme: <name>@<version>

  • regex with permitted chars: ^[_a-zA-Z0-9:.-]+@[0-9]+$

The initial version must be 1. Subsequent version must be incremented without any gaps. I.e., if the current highest version is x, the next version must be x+1. If you require a more elaborate versioning scheme, we recommend to encode it in the name portion of the secret identifier.

Secret Management

Before a secret identifier can be used as secret reference, the secret with the desired identifier must be provisioned on the appliance.

The Anapaya appliance offers an HTTP REST API supporting various operations. In particular, it provides a set of endpoints that can be used to list and add secrets. You can refer to Management API Specification, for the complete list of secrets endpoints that are supported.

Secret Provisioning

Avoid leaking the secret in the shell history by piping the plain text secret or using the interactive mode of the appliance-cli subcommand. Check the help command for more information:

# interactive mode
appliance-cli secrets add bgp-password@1

# piping the plain text secret
cat secret.txt | appliance-cli secrets add bgp-password@1

Using the appliance-cli with the Management API endpoints:

  • Add a single secret

    secret.json

    {
    "id": "bgp-password@1",
    "value": "myBgpPassword"
}

    # body from file:
appliance-cli post secrets secret: @secret.json

  • Add a batch of secrets

    secrets.json

    {
    "secrets": [
        {
            "id": "bgp-password@1",
            "value": "myBgpPassword"
        },
        {
            "id": "forwarding-key_1-ff00:0:110@1",
            "value": "Zm9yd2FyZGtleQo="
        }
    ]
}

    appliance-cli post secrets/batch @secrets.json

References

After provisioning the secret, the secret identifier can be used as secret reference in the appliance configuration.

Some of the secret references in the appliance configuration require a specific format of the underlying secret. For example, the forwarding key must be base64-encoded. This is specified in the documentation for the respective secret reference field of the appliance configuration.

Note

The appliance configuration validation ensures that the referenced secrets exist and match the expected format.