Aitem/spec.org

## spec.org

      
    Raw
  

              spec.org
            
          
    Secret Store

Infrabox working with secrets
Infrastructure code in separate repo


  Grant access to infra repo only for CI and Administrator’s/DevOps’s team
  Provide general secrets only for CI and Administrator’s/DevOps’s team (cluster access, repo access and etc)
  Provide gpg keys only for CI and Administrator’s/DevOps’s team
  In CI pipeline
    
      Pull source repo
      Test and build app
      Pull infra repo
      Deploy app
    
  
Infrabox and secret

GnuPG

brew install gpg
Provide key to infrabox via env or cli param

export INFRABOX_ENCRYPTION_KEY=<path_to_key_file>
Add secret to gpg

infrabox secret add <component>/<secret_name> <value>
  infrabox secret --encryption-key add <component>/<secret_name> <value>
infrabox secret add prod-db/user     pguser
infrabox secret add prod-db/password secret-password

infrabox secret add prod-aidbox/license-id   id
infrabox secret add prod-aidbox/license-key  key
Content of decrypted secretstore.gpg file

{:meta {:some "meta"}
 :keys {:prod-db     {:password  "password" :user "user"}
        :prod-aidbox {:license-key "key" :license-id "id"}}}
Use secret


  Use gpg/ref syntax for using local secretstore.gpg file
  Potential Vault/GoogleSecretManager support

prod-db
{:zen/tags    #{skipper/component}
 :engine      infrabox/postgres
 :version     "14.2"
 :storage     {:size 50}
 :connection  {:user      {:gpg/ref "user"}
               :password  {:gpg/ref "password"}}}
prod-aidbox
{:zen/tags     #{skipper/component}
 :engine       infrabox/aidbox
 :db           prod-db
 :xenvironment {:AIDBOX_DD_API_KEY {:gpg/ref "datadog-key"}}
 :client       {:id  "admin" :secret "secret"}
 :license      {:id  {:gpg/ref "license-id"}
                :key {:gpg/ref "license-key"}}}
Apply

Decrypt GPG secrets


  Decrypt secretstore.gpg file in memory

{:prod-db     {:password  "password" :user "user"}
 :prod-aidbox {:license-key "key" :license-id "id"}}

  List all secrets and create secret k8s resource

---
apiVersion: v1
kind: Secret
metadata:
  name: gpg-secret         # Static name
  namespace: prod-db       # Component NS
data:
  user:     cG9zdGdyZXM=
  password: cG9zdGdyZXM=
---
apiVersion: v1
kind: Secret
metadata:
  name: gpg-secret         # Static name
  namespace: prod-aidbox   # Component NS
data:
  license-id:  cG9zdGdyZXM=
  license-key: cG9zdGdyZXM=
Ref to secret in deployments

Plain text secrets and configs mounts via build-in methods

prod-aidbox
{...
 :client     {:id  "admin" :secret "secret"}
 ...}
---
apiVersion: v1
kind: Secret
metadata:
  name: aidbox
  namespace: prod-aidbox       # Component NS
data:
  AIDBOX_CLIENT_ID:     cG9zdGdyZXM=
  AIDBOX_CLIENT_SECRET: cG9zdGdyZXM=
---
apiVersion: v1
kind: Deployment
metadata:
  name: aidbox
  namespace: prod-aidbox
  labels:
    service: aidbox
spec:
  containers:
    - name: main
      image: healthsamurai/aidboxone:edge
      envFrom:
        - configMapRef:
            name: aidbox
        - secretRef:
            name: aidbox
GPG keys

Mount env as ref to gpg generated secret
prod-db
{...
 :connection  {:user      {:gpg/ref "user"}
               :password  {:gpg/ref "password"}}
 ...}

---
apiVersion: v1
kind: StatefulSet
metadata:
  name: db
  namespace: prod-db
spec:
  containers:
  - name: main
    image: healthsamurai/aidboxdb:14.2
    env:
    - name: PGPASSWORD
      valueFrom:
        secretKeyRef:
          name: gpg-secret
          key:  password
    - name: PGUSER
      valueFrom:
        secretKeyRef:
          name: gpg-secret
          key:  user