This document provides an in-depth exploration of how the Timoni project manages and stores secrets in a production environment. The focus will include the CUE configuration language, runtime attributes, and sample code snippets to illustrate the capabilities provided by Timoni.
Introduction to Secrets Management
In Timoni, secrets can be utilized seamlessly during the deployment of applications using various strategies. For instance, when deploying an application that connects to an S3-compatible API, two essential secrets—ACCESS_KEY and SECRET_KEY—are often required. Timoni supports multiple methods for injecting these secrets, ensuring secure and efficient management.
Injecting Secrets via Kubernetes Secrets
One effective method of managing secrets in production is to leverage Kubernetes Secrets. Below is a demonstration of how to configure a Timoni Bundle to fetch secrets directly from Kubernetes:
CUE Configuration Example
Here’s a basic structure that defines secrets in a Timoni Bundle using CUE:
runtime: {
apiVersion: "v1alpha1"
name: "production"
values: [
{
query: "k8s:v1:Secret:my-namespace:my-secret-name"
for: {
"ACCESS_KEY": "obj.data.r2_access_key"
"SECRET_KEY": "obj.data.r2_secret_key"
}
},
]
}
The above configuration snippet specifies that the secrets ACCESS_KEY and SECRET_KEY will be retrieved from a designated Kubernetes secret.
Applying Secrets at Runtime
To apply the bundle with the secrets defined in the runtime configuration, use the following command:
timoni bundle apply -f bundle.cue --runtime runtime.cue
This command leverages the runtime definition to extract secrets from the Kubernetes cluster at apply-time.
Using Runtime Attributes for Secrets Injection
Timoni also supports injecting secrets as runtime attributes directly in the bundle’s definition. Below is an illustrative example:
Example of a Bundle with Runtime Attributes
bundle: {
apiVersion: "v1alpha1"
name: "my-app"
instances: {
"my-app-storage": {
module: url: "oci://my-registry/timoni/modules/my-app-storage"
namespace: "my-app"
values: {
endpoint: "https://my-acc.r2.cloudflarestorage.com"
accessKey: string @timoni(runtime:string:ACCESS_KEY)
secretKey: string @timoni(runtime:string:SECRET_KEY)
}
}
}
}
In this example, accessKey and secretKey are dynamically populated using runtime attributes, enabling seamless integration with external secret management systems.
Secrets Management through CI/CD
When using a Continuous Integration (CI) tool, secrets can be sourced from the CI runner’s secret store and made available to Timoni at apply-time. Here’s how it can be implemented:
CI Runner Secrets Mapping Example
export ACCESS_KEY=${{ secrets.ACCESS_KEY }}
export SECRET_KEY=${{ secrets.SECRET_KEY }}
This method allows environment variables configured in the CI runner to be utilized within the Timoni Bundle.
Summary
The secrets management capabilities in Timoni through Kubernetes Secrets and runtime attributes provide robust solutions for deploying applications in a production environment. The use of well-defined CUE configurations enhances the expressiveness and maintainability of the deployment process.
For further reading on how Timoni facilitates application deployments and lifecycle management, please refer to the primary project repository.
This documentation is based on the internal structure and functionality of the Timoni project and serves as a comprehensive guide for expert developers seeking to implement secure secrets management in their applications.
