This documentation page outlines the methods utilized by the gitlab-org/coming-soon project for storing and managing secrets in a production environment. The section focuses on secure practices to ensure sensitive information remains protected.
Secret Management Overview
Secrets play a critical role in the deployment and functioning of applications. This section addresses how gitlab-org/coming-soon handles secrets, including storage techniques, access control, and the use of tools or services to manage them effectively.
Storage of Secrets
Secrets should not be hardcoded or stored directly within the codebase. Instead, they should be stored in environment variables or a dedicated secrets management system. The following methods are employed:
Use of Environment Variables
Environment variables provide a straightforward means of managing secrets in production. This prevents exposure in the source code and allows easy configuration changes without redeploying the application.
Example of setting an environment variable for a secret API key:
export SECRET_API_KEY="your_api_key_here"
Accessing the environment variable in Python:
import os
secret_api_key = os.getenv("SECRET_API_KEY")
if secret_api_key is None:
raise Exception("Secret API key not set!")
Secured Access to Secrets
To control access to secrets, the project makes use of a combination of role-based access and configuration management.
Role-Based Access Control (RBAC)
RBAC ensures that only authorized individuals or services can access particular secrets. This involves mapping users or services to roles that have specific permissions.
Example implementation:
# roles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: your-namespace
name: secret-access
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list"]
Secrets Management Tools
Utilization of specialized secrets management tools enhances security. These tools often provide features like encryption, auditing, and more granular access control.
Example Using HashiCorp Vault
HashiCorp Vault can be used to manage secrets securely. Below is a general approach to using Vault for secrets management:
- Authenticate with Vault:
vault login your-token
- Store a secret in Vault:
vault kv put secret/mysecret value=supersecretvalue
- Retrieve the secret:
val = os.system("vault kv get -field=value secret/mysecret")
if not val:
raise Exception("Failed to retrieve secret!")
Continuous Integration and Deployment
For a smooth CI/CD process, secrets need to be securely integrated into the pipeline without exposing them in logs or build environments.
GitLab CI/CD Example
In .gitlab-ci.yml, environment variables can be set to access secrets during the CI/CD pipeline:
variables:
SECRET_API_KEY: $SECRET_API_KEY
stages:
- deploy
deploy_job:
stage: deploy
script:
- echo "Deploying with secret API key"
- deploy_script --api-key $SECRET_API_KEY
Conclusion
The management of production secrets in the gitlab-org/coming-soon project involves careful planning and implementation of secure practices. By using environment variables, role-based access, and dedicated secrets management tools, the project aims to protect sensitive information effectively throughout its lifecycle.
Refer to the project for further technical guidance and specific implementations as needed.
