Using a Database with your Kontainers Application

Overview

If your application requires the use of a database, EYK can securely manage the credentials. This article walks through how to accomplish this using Rails 5.2+ and a MySQL database. Procedures for other databases will be similar.

You will use Rails mechanisms to manage credentials. EYK securely facilitates the build and packaging that includes the master key for use with those credentials.


Environment

This guide assumes you have the following:

  • An EYK cluster 
  • An application based on Ruby-on-Rails 5.2+
  • A MySQL database

Solution

    1. Prepare your Rails app for encrypted credentials and database connectivity. If you created a new Rails 5.2 app, most of these steps will already be done for you. If you have upgraded Rails, be sure to go through this checklist.
        • Open a command line and navigate to the root directory of your application project
          cd <project-root-dir>
        • Rails 5.2 uses a master key to decrypt all credentials. It is provided to the framework either in a config/master.key file, or via ENV["RAILS_MASTER_KEY"]. You do not want to check in the master.key file, so make sure your .gitignore file includes this entry. Even if this file does not exist right now, it will be created in step #2.
        • # Ignore encrypted secrets key file.
          config/master.key
        • Add the mysql2 gem to your Gemfile. This is the database driver used by Ruby. For example:
          gem 'mysql2'
        • If you added this entry to your Gemfile, then run the following command:
          bundle install
    2. Configure your database connection information as encrypted credentials. Set the database username, password, and host using the following Rails command. 
      EDITOR=vi bin/rails credentials:edit
      The content will look something like the example shown below, where avalue will be your environment's values. You can include the database name as well if you want to keep it secure.
      # aws:
      #   access_key_id: 123
      #   secret_access_key: 345

      db_yml_username: avalue
      db_yml_password: avalue
      db_yml_host: avalue

      # Used as the base secret for all MessageVerifiers in Rails, including the one protecting cookies.
      secret_key_base: avalue
      Use the editor's save command to make the changes. For vi, enter :wq
      You should see the following output and the config/credentials.yml.enc file should be updated. Your credentials are stored in this file, encrypted using the master key.
      New credentials encrypted and saved.
    3. Configure the database connection in the Rails database.yml file. The config/database.yml file contains connection information for all environments (development, test, production). For a MySQL database, the example below shows how to configure for a database named 'quizdatabase'. You can either provide hardcoded values like this (not recommended for credentials), or you can refer to the encrypted credentials we setup in the previous step (recommended). Note that usage of Rails.application.credentials to reference those values. Rails uses the master key to decrypt when the server starts up.
      development:
        adapter: mysql2
        encoding: utf8
        pool: 5
        username: <%= Rails.application.credentials.db_yml_username %>
        password: <%= Rails.application.credentials.db_yml_password %>
        host: <%= Rails.application.credentials.db_yml_host %>
        database: quizdatabase
      See the Rails Configuration Guide for more details on this and how to configure other databases. 

    4. Set the application configuration variables to use the RAILS_MASTER_KEY in the build and deployment of your application. During local development, Rails can use the config/master.key file to decrypt credentials. However, when you git push your code to EYK, the build and deployment environments also need the key. Because you don't want to commit the key file to your repository, application config variables are used for this. We also need to instruct EYK to pass the environment variables along to the build server. The DEIS_DOCKER_BUILD_ARGS_ENABLED environment variable is used to do this. Use the following commands to set the app config values. Alternatively, you can use the web console by navigating to your application's config tab.
      eyk config:set RAILS_MASTER_KEY=avalue
      eyk config:set DEIS_DOCKER_BUILD_ARGS_ENABLED=1
      Also, set these variables in your local environment where you will run the git push. These commands are operating system shell commands and the form will vary based on your platform.
      export DEIS_DOCKER_BUILD_ARGS_ENABLED=1
      export RAILS_MASTER_KEY=avalue
    5. Declare the RAILS_MASTER_KEY argument in your Dockerfile. Make sure the following line is in your Dockerfile before any Rails commands are run.
      ARG RAILS_MASTER_KEY
    6. Push your code to EYK and test. Make sure all your changes are committed to your local repository and then run the command:
      git push eyk <branch-name>
  1.  

Back to top


Related Articles

 

Comments

Article is closed for comments.