Post

Securing Your CI/CD Pipeline Managing Secrets with Git, Docker, Kubernetes, and Popular Key Vaults

Securing Your CI/CD Pipeline Managing Secrets with Git, Docker, Kubernetes, and Popular Key Vaults

In today’s rapidly evolving software development landscape, ensuring the security of your CI/CD pipeline is paramount. Managing sensitive data like API tokens and passwords is crucial for safeguarding your applications. In this guide, we’ll explore three approaches to secure your CI/CD pipeline: one using Git and Docker, another utilizing Kubernetes Secrets, and a third approach integrating popular key vaults for advanced secret management.

Why Secrets Are Crucial

Sensitive data, such as API tokens or database credentials, is an integral part of many applications. However, hardcoding these secrets into your source code or configuration files can pose significant security risks. It’s essential to find secure ways to manage and deploy these secrets.

Securing Secrets Without Kubernetes

If you’re not using Kubernetes, you can still follow secure practices to manage your secrets within your CI/CD pipeline using Git, Docker, and popular key vaults.

Step 1: Git Repository Secrets

In your Git repository, create a .env file to store your secrets. For example:

1
2
3
API_TOKEN=my-api-token
DATABASE_PASSWORD=my-database-password

Add this .env file to your .gitignore to ensure it’s not accidentally committed to your version control system.

Step 2: GitLab CI/CD Configuration

Assuming you’re using GitLab CI/CD, configure your .gitlab-ci.yml to utilize these secrets during the build and deployment process:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
stages:
  - build
  - deploy

variables:
  DOCKER_IMAGE: registry.example.com/my-app:${CI_COMMIT_SHORT_SHA}

build:
  stage: build
  script:
    - docker build -t $DOCKER_IMAGE .
    - echo "API_TOKEN=$API_TOKEN" >> .env
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - docker push $DOCKER_IMAGE
  only:
    - master

deploy:
  stage: deploy
  script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - docker pull $DOCKER_IMAGE
    - docker run --env-file .env -d -p 8080:80 $DOCKER_IMAGE
  only:
    - master

Here’s what’s happening:

In the build stage, we create a Docker image and push it to the GitLab Container Registry, securely logging in with CI/CD variables. We echo the environment variables (including secrets) into the .env file for use during deployment.

In the deploy stage, we pull the Docker image and run the container, providing the environment variables from the .env file.

Kubernetes Approach with Secrets

If you are using Kubernetes, you can leverage Kubernetes Secrets for a more container-native approach to secret management. Here’s how to do it:

Step 1: Create Kubernetes Secrets

Create Kubernetes Secrets for your sensitive data. For example:

1
2
3
4
5
6
7
8
9
10
apiVersion: v1
kind: Secret
metadata:
  name: my-app-secrets
type: Opaque
data:
  api-token: <base64-encoded-api-token>
  database-password: <base64-encoded-database-password>

Make sure to encode your secrets in base64 for secure storage.

Step 2: Configure Kubernetes Deployment

In your Kubernetes Deployment manifest, reference the Secrets you created earlier:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  template:
    spec:
      containers:
      - name: my-app
        env:
          - name: API_TOKEN
            valueFrom:
              secretKeyRef:
                name: my-app-secrets
                key: api-token
          - name: DATABASE_PASSWORD
            valueFrom:
              secretKeyRef:
                name: my-app-secrets
                key: database-password

This configuration ensures that your secrets are securely injected as environment variables into your application container.

For advanced secret management, consider integrating popular key vaults like HashiCorp Vault or AWS Secrets Manager into your CI/CD pipeline. These key vaults provide centralized, secure storage and management of secrets.

Here’s a high-level overview of the process:

  • Set Up Key Vault: Configure and set up your chosen key vault, creating dedicated secret stores for your application.

  • Retrieve Secrets: In your CI/CD pipeline, use the appropriate tooling or SDK to retrieve secrets from the key vault.

  • Use Secrets: Inject these secrets as environment variables into your Docker containers or Kubernetes Pods during deployment, similar to the previous approaches.

  • By integrating popular key vaults, you gain advanced features like rotation, access control, and audit logging for your secrets.

Benefits of These Approaches

All three approaches offer secure methods to manage secrets within your CI/CD pipeline:

  • The Git and Docker approach keeps secrets out of your version control system and injects them during deployment.
  • The Kubernetes approach uses native Kubernetes Secrets for containerized secret management.
  • Integrating popular key vaults adds advanced security and management features to your secret handling.

By implementing these practices, you can ensure that your CI/CD pipeline remains secure while effectively managing sensitive data, regardless of your chosen infrastructure or secret management approach.

This post is licensed under CC BY 4.0 by the author.