Infrabox working with secrets
- Grant access to infra repo only for CI and Administrator’s/DevOps’s team
- Provide general secrets only for CI and Administrator’s/DevOps’s team (cluster access, repo access and etc)
- Provide gpg keys only for CI and Administrator’s/DevOps’s team
- In CI pipeline
- Pull source repo
- Test and build app
- Pull infra repo
- Deploy app
brew install gpg
export INFRABOX_ENCRYPTION_KEY=<path_to_key_file>
infrabox secret add <component>/<secret_name> <value>
infrabox secret --encryption-key add <component>/<secret_name> <value>
infrabox secret add prod-db/user pguser
infrabox secret add prod-db/password secret-password
infrabox secret add prod-aidbox/license-id id
infrabox secret add prod-aidbox/license-key key
{:meta {:some "meta"}
:keys {:prod-db {:password "password" :user "user"}
:prod-aidbox {:license-key "key" :license-id "id"}}}
- Use
gpg/ref
syntax for using localsecretstore.gpg
file - Potential Vault/GoogleSecretManager support
prod-db
{:zen/tags #{skipper/component}
:engine infrabox/postgres
:version "14.2"
:storage {:size 50}
:connection {:user {:gpg/ref "user"}
:password {:gpg/ref "password"}}}
prod-aidbox
{:zen/tags #{skipper/component}
:engine infrabox/aidbox
:db prod-db
:xenvironment {:AIDBOX_DD_API_KEY {:gpg/ref "datadog-key"}}
:client {:id "admin" :secret "secret"}
:license {:id {:gpg/ref "license-id"}
:key {:gpg/ref "license-key"}}}
- Decrypt
secretstore.gpg
file in memory
{:prod-db {:password "password" :user "user"}
:prod-aidbox {:license-key "key" :license-id "id"}}
- List all secrets and create
secret
k8s resource
---
apiVersion: v1
kind: Secret
metadata:
name: gpg-secret # Static name
namespace: prod-db # Component NS
data:
user: cG9zdGdyZXM=
password: cG9zdGdyZXM=
---
apiVersion: v1
kind: Secret
metadata:
name: gpg-secret # Static name
namespace: prod-aidbox # Component NS
data:
license-id: cG9zdGdyZXM=
license-key: cG9zdGdyZXM=
prod-aidbox
{...
:client {:id "admin" :secret "secret"}
...}
---
apiVersion: v1
kind: Secret
metadata:
name: aidbox
namespace: prod-aidbox # Component NS
data:
AIDBOX_CLIENT_ID: cG9zdGdyZXM=
AIDBOX_CLIENT_SECRET: cG9zdGdyZXM=
---
apiVersion: v1
kind: Deployment
metadata:
name: aidbox
namespace: prod-aidbox
labels:
service: aidbox
spec:
containers:
- name: main
image: healthsamurai/aidboxone:edge
envFrom:
- configMapRef:
name: aidbox
- secretRef:
name: aidbox
Mount env as ref to gpg generated secret
prod-db
{...
:connection {:user {:gpg/ref "user"}
:password {:gpg/ref "password"}}
...}
---
apiVersion: v1
kind: StatefulSet
metadata:
name: db
namespace: prod-db
spec:
containers:
- name: main
image: healthsamurai/aidboxdb:14.2
env:
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: gpg-secret
key: password
- name: PGUSER
valueFrom:
secretKeyRef:
name: gpg-secret
key: user