3

I'm running a jelastic setup to host several Rails applications.

In Rails, it is common to store configuration in the environment. Especially secret data, such as passwords or access keys.

Where should I place these on a Ruby/Rails jelastic setup?

I currently have nginx with Passenger; because that was the default. If Puma or Unicorn makes this easier or more robust, I'd love to hear that.

I currently have my environment variables declared in the /etc/nginx/nginx.conf using nginx env directive. But this means I am storing the secrects in the nginx.conf file. Yuck.

## ENV VARS
env SECRET_KEY_BASE=xxxxxxxxxxxx;
env BLAZER_USERNAME=uuuuu;
env BLAZER_PASSWORD=xxxxxxxxxxxx;
env AWS_ID=aaa;
env AWS_SECRET_KEY=aaa;
env BLAZER_DATABASE_URL=postgres://uuu:ppp@example.com:5432/production;
  1. How do you manage your secrets on any jelastic setup?
  2. How do you manage your secrets on a Rails jelastic setup?
  3. Where do you store environment variables to be picked up by the running app?

Edit: I am not interested in keeping secrets away from "other users/processes on the machine". I don't want to store my secrets in my application git-repo. Which is really, really bad practice. As such, I want my Rails app to read e.g. ENV['AWS_SECRET_KEY'] instead of storing that secret key somewhere in my codebase.

berkes
  • 26,996
  • 27
  • 115
  • 206
  • @berkers, thanks for a good question. At the moment there is no central point of secrets management for end users in Jelastic. Planed for Q2. However at the same time each application should be able to use the same approach of secrets storing that was used before running in Jelastic. For example, you can setup your own key value storage https://www.hashicorp.com/blog/twelve-factor-consul.html It might be also useful to check out this option https://docs.jelastic.com/docker-variables if you are using docker containers. – Ruslan Feb 02 '17 at 12:21
  • In addition data container can be useful for storing and sharing ssl keys and configs https://docs.jelastic.com/data-storage-container. – Ruslan Feb 02 '17 at 12:22

3 Answers3

2

The easiest way is to paste this environment variables to .bash_profile configuration file, that is located in your home directly and can be accessed thought SSH.

Ihor Kolodyuk
  • 466
  • 2
  • 5
1

Phusion Passenger does not run in an interactive shell. Probably, you're using the best solution for now(nginx config).

Mulder Fox
  • 82
  • 3
  • True. Which is why adding to nginx works. However, `rake_deploy` runs some magic proces (jelastic is all about undocumented black magic processes) which still needs the ENV vars somehow. – berkes Feb 02 '17 at 16:40
0

The Jelastic provides each environment's node (e.g. Application Servers, Databases, Docker etc.) as an individual virtual machine (completely independent instance, that can’t be influenced by any other account on the hardware). Being fully isolated and dedicated to your particular needs, it ensures enough privacy and can be configured to run any application with the sensitive data.

We have a guide Setting Custom Environment Variables via SSH in our Docs which can be helpful for your case.

In general, we would like to say that Jelastic is safe for most cases of the environment variables usage.

Virtuozzo
  • 1,993
  • 1
  • 10
  • 13
  • Thanks. I read the `Setting Custom ...` document but am still confused as to how to apply such environments to the users running `rake_deploy` and running the application process itself. In addition, it is not about safety from other users on the machine, but about it being a *very bad practice* to stick secrets like keys and passwords in your git repo. – berkes Feb 02 '17 at 16:43