/var/log/balo

Permission denied to call method PandorasBox.open

How not to commit passwords to OpenShift's repository

23 Dec 2013

In the last couple of days I played with OpenShift, a PaaS made by RedHat. I moved one of my ruby application from VPS to there. As you may know, OpenShift is working from git repositories so a push means build and deploy.

That means (almost1) everything has to be pushed to the repository. We know that to commit passwords and secret keys is a bad idea. But don’t worry, use OpenShift’s environment variables! :)</div>

The nice thing is, you can easily insert these variables into yml files, so your database config can be look like this:

production:
  adapter: mysql2
  database: <%= ENV['OPENSHIFT_APP_NAME'] %>
  host: <%= ENV['OPENSHIFT_MYSQL_DB_HOST'] %>
  port: <%= ENV['OPENSHIFT_MYSQL_DB_PORT'] %>
  username: <%= ENV['OPENSHIFT_MYSQL_DB_USERNAME'] %>
  password: <%= ENV['OPENSHIFT_MYSQL_DB_PASSWORD'] %>
  socket: <%= ENV['OPENSHIFT_MYSQL_DB_SOCKET'] %>
  encoding: utf8
  pool: 5

What about custom secrets and keys?

Well, you can set custom environment variables with rhc. I made a simple text file with my variables:

DROPBOX_APP_KEY=...
DROPBOX_APP_SECRET=...

Then add them with set-env command:

$ rhc set-env my/dir/openshift-env-vars -a myappname

Of course you shouldn’t commit this file to any repository.

You can test it with rhc:

$ rhc ssh -a myappname
$ env | grep DROPBOX

If you were connected to ssh while adding the variables, you should reconnect or check them from irb.

Tip: now you can use one repository with more remote.
  1. You have a data folder in the app-root directory, you can store some resources there. 

Facebook Twitter Google+
Tags: best practice, environment variables, openshift, paas, password, red hat, ruby, secret key, security, and yml
comments powered by Disqus