Securing Your CI/CD Pipeline Managing Secrets with Git, Docker, Kubernetes, and Popular Key Vaults
In today’s rapidly evolving software development landscape, ensuring the security of your CI/CD pipeline is paramount. Managing sensitive data like API tokens and passwords is crucial for safeguarding your applications. In this guide, we’ll explore three approaches to secure your CI/CD pipeline: one using Git and Docker, another utilizing Kubernetes Secrets, and a third approach integrating popular key vaults for advanced secret management.
Why Secrets Are Crucial
Sensitive data, such as API tokens or database credentials, is an integral part of many applications. However, hardcoding these secrets into your source code or configuration files can pose significant security risks. It’s essential to find secure ways to manage and deploy these secrets.
Securing Secrets Without Kubernetes
If you’re not using Kubernetes, you can still follow secure practices to manage your secrets within your CI/CD pipeline using Git, Docker, and popular key vaults.
Step 1: Git Repository Secrets
In your Git repository, create a .env file to store your secrets. For example:
API_TOKEN=my-api-token
DATABASE_PASSWORD=my-database-password
Add this .env file to your .gitignore to ensure it’s not accidentally committed to your version control system.
Step 2: GitLab CI/CD Configuration
Assuming you’re using GitLab CI/CD, configure your .gitlab-ci.yml to utilize these secrets during the build and deployment process:
stages:
- build
- deploy
variables:
DOCKER_IMAGE: registry.example.com/my-app:${CI_COMMIT_SHORT_SHA}
build:
stage: build
script:
- docker build -t $DOCKER_IMAGE .
- echo "API_TOKEN=$API_TOKEN" >> .env
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- docker push $DOCKER_IMAGE
only:
- master
deploy:
stage: deploy
script:
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- docker pull $DOCKER_IMAGE
- docker run --env-file .env -d -p 8080:80 $DOCKER_IMAGE
only:
- master
Here’s what’s happening:
In the build stage, we create a Docker image and push it to the GitLab Container Registry, securely logging in with CI/CD variables. We echo the environment variables (including secrets) into the .env file for use during deployment.
In the deploy stage, we pull the Docker image and run the container, providing the environment variables from the .env file.
Kubernetes Approach with Secrets
If you are using Kubernetes, you can leverage Kubernetes Secrets for a more container-native approach to secret management. Here’s how to do it:
Step 1: Create Kubernetes Secrets
Create Kubernetes Secrets for your sensitive data. For example:
apiVersion: v1
kind: Secret
metadata:
name: my-app-secrets
type: Opaque
data:
api-token: <base64-encoded-api-token>
database-password: <base64-encoded-database-password>
Make sure to encode your secrets in base64 for secure storage.
Step 2: Configure Kubernetes Deployment
In your Kubernetes Deployment manifest, reference the Secrets you created earlier:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
template:
spec:
containers:
- name: my-app
env:
- name: API_TOKEN
valueFrom:
secretKeyRef:
name: my-app-secrets
key: api-token
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: my-app-secrets
key: database-password
This configuration ensures that your secrets are securely injected as environment variables into your application container.
Integration with Popular Key Vaults
For advanced secret management, consider integrating popular key vaults like HashiCorp Vault or AWS Secrets Manager into your CI/CD pipeline. These key vaults provide centralized, secure storage and management of secrets.
Here’s a high-level overview of the process:
- Set Up Key Vault: Configure and set up your chosen key vault, creating dedicated secret stores for your application.
- Retrieve Secrets: In your CI/CD pipeline, use the appropriate tooling or SDK to retrieve secrets from the key vault.
- Use Secrets: Inject these secrets as environment variables into your Docker containers or Kubernetes Pods during deployment, similar to the previous approaches.
- By integrating popular key vaults, you gain advanced features like rotation, access control, and audit logging for your secrets.
Benefits of These Approaches
All three approaches offer secure methods to manage secrets within your CI/CD pipeline:
- The Git and Docker approach keeps secrets out of your version control system and injects them during deployment.
- The Kubernetes approach uses native Kubernetes Secrets for containerized secret management.
- Integrating popular key vaults adds advanced security and management features to your secret handling.
By implementing these practices, you can ensure that your CI/CD pipeline remains secure while effectively managing sensitive data, regardless of your chosen infrastructure or secret management approach.