open-telemetry / opentelemetry-demo

Production Secrets Management in OpenTelemetry Demo

This document provides an overview of how the OpenTelemetry Demo project manages secrets in a production environment, specifically focusing on code related to the frauddetectionservice. The relevant code is primarily found in the Dockerfile section of the repository.

Secrets Management Overview

In modern software development, particularly for production environments, managing secrets such as API keys, database credentials, and other sensitive information is crucial for maintaining security. For the OpenTelemetry Demo, secrets are handled through the use of environment variables and secure build practices in the Docker container.

Dockerfile Configuration

The following excerpt from the Dockerfile illustrates how secrets are managed during the build and runtime of the frauddetectionservice. 

FROM --platform=${BUILDPLATFORM} gradle:8-jdk17 AS builder

WORKDIR /usr/src/app/

COPY ./src/frauddetectionservice/ ./
COPY ./pb/ ./src/main/proto/
RUN gradle shadowJar

# -----------------------------------------------------------------------------

FROM gcr.io/distroless/java17-debian11

ARG OTEL_JAVA_AGENT_VERSION
WORKDIR /usr/src/app/

COPY --from=builder /usr/src/app/build/libs/frauddetectionservice-1.0-all.jar ./
ADD --chmod=644 https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/download/v$OTEL_JAVA_AGENT_VERSION/opentelemetry-javaagent.jar /app/opentelemetry-javaagent.jar
ENV JAVA_TOOL_OPTIONS=-javaagent:/app/opentelemetry-javaagent.jar

ENTRYPOINT [ "java", "-jar", "frauddetectionservice-1.0-all.jar" ]

Step-by-Step Breakdown

  1. Using ARG for Version Control:

    • The ARG instruction is employed to define OTEL_JAVA_AGENT_VERSION, which allows the build process to fetch the appropriate version of the OpenTelemetry Java agent.
    • This is important for maintaining consistent behavior across different deployments by ensuring the correct version is used without hardcoding it into the Dockerfile.

  2. Copying Application Code:

    • The COPY commands bring in the application code and protocol buffer definition files necessary for building the service.
    • This portion does not include secrets directly, but it sets up the environment for the service to be built securely.

  3. Gradle Shadow Jar:

    • The RUN gradle shadowJar command compiles the application and packages it as an executable JAR. Any secrets used in build configurations should be injected via environment variables instead of hardcoding them in the source.

  4. Distroless Image:

    • Transitioning to a distroless image is a security enhancement as it minimizes the attack surface by containing only the application and its runtime dependencies.
    • This approach helps in ensuring that sensitive data is not exposed through additional unnecessary packages.

  5. Setting Environment Variables:

    • The instruction ENV JAVA_TOOL_OPTIONS=-javaagent:/app/opentelemetry-javaagent.jar sets options for the Java runtime. Secrets related to logging or monitoring configurations should similarly