Spinnaker – Secrets

Docs: Secrets in GCS

Mon, 01 Jan 0001 00:00:00 +0000

This example uses a bucket (mybucket) to store GitHub credentials and a kubeconfig file.

Authorization

Since you’re storing sensitive information you protect the bucket by restricting access to it. Encryption at rest is already provided automatically without additional setup.

Remember to run Spinnaker services with a service account that allows them to read that content.

Storing secrets

Storing credentials

Store your GitHub credentials in mybucket/spinnaker-secrets.yml:

github:
  password: <PASSWORD>
  token: <TOKEN>

Note: You could choose to store the password under different keys than github.password and github.token. You’d just need to change how to reference the secret .

Storing sensitive files

Some Spinnaker configuration uses information stored as files. For example, upload the kubeconfig file of your Kubernetes account directly to mybucket/mykubeconfig:

gsutil cp /path/to/mykubeconfig gs://mybucket/mykubeconfig

Referencing secrets

Now that secrets are safely stored in the bucket, you reference them from your config files using the format below. The GCS-specific parameters (b:<bucket>, f:<path to file>, k:<optional yaml key>) can be in any order. To reference secret literal values:

encrypted:gcs!b:<bucket>!f:<path to file>!k:<optional yaml key>

To reference secret files:

encryptedFile:gcs!b:<bucket>!f:<path to file>

The k:<key> parameter is only necessary when storing secret values in a yaml file, like in our example. To reference github.password from the file above, use:

encrypted:gcs!b:mybucket!f:spinnaker-secrets.yml!k:github.password

But to reference your kubeconfig file, you can leave off the k parameter and use encryptedFile prefix:

encrypted:gcs!b:mybucket!f:mykubeconfig
encryptedFile:gcs!b:mybucket!f:mykubeconfig

Docs: Secrets in Google Secret Manager

Mon, 01 Jan 0001 00:00:00 +0000

This example uses secrets - mysecret1, mysecret2 - to store GitHub credentials and secret - mykubeconfig - to store kubeconfig file.

Authorization

Since you’re storing sensitive information you protect the secret by restricting access to it through IAM roles . Encryption at rest is already provided by default.

Remember to run Spinnaker services with a service account that allows them to read that content.

Storing secrets

Storing credentials

Store your GitHub token in a secret named mysecret either as a complete secret or as a value of one of the json keys:

secret mysecret1:

    <TOKEN>

secret mysecret2:

    {
      "github-token": "<TOKEN>",
      "some-other-key": "<some-other-secret>"
    }

Note: You could choose to store the token under different key than github-token. You’d just need to change how to reference the secret .

Storing sensitive files

Some Spinnaker configuration uses information stored as files. For example, upload the kubeconfig file of your Kubernetes account directly to mykubeconfig secret:

gcloud secrets versions add mykubeconfig --data-file="/path/to/kubeconfig"

Referencing secrets

Now that secrets are safely stored in the Secret Manager, you reference them from your config files using the format below. The Secret Manager specific parameters (p:<project number>, s:<secret id>, k:<optional json key>, v:<optional secret version>) can be in any order. To reference secret literal values:

encrypted:google-secrets-manager!p:<project number>!s:<secret id>!k:<optional json key>!v:<optional secret version>

To reference secret files:

encryptedFile:google-secrets-manager!p:<project number>!s:<secret id>!v:<optional secret version>

To reference the latest version of secret from mysecret1, use:

encrypted:google-secrets-manager!p:123456789012!s:mysecret1

The k:<key> parameter is only necessary when storing secret values in a json file. Also, the v:<secret version> parameter is required only when the secret is not from the latest version. To reference github-token from the secret above having version 2, use:

encrypted:google-secrets-manager!p:123456789012!s:mysecret2!k:github-token!v:2

But to reference your kubeconfig file, you must leave off the k parameter and use encryptedFile prefix:

encryptedFile:google-secrets-manager!p:123456789012!s:mykubeconfig

Docs: Secrets in S3

Mon, 01 Jan 0001 00:00:00 +0000

This document describes how to set up Spinnaker secrets in an encrypted S3 bucket. This example uses a bucket ( mybucket) in the us-west-2 region to store GitHub credentials and a kubeconfig file. You can reference the bucket by its URL mybucket.us-west-2.amazonaws.com.

Authorization

Since you’re storing sensitive information, you protect the bucket by restricting access and enabling encryption .

Remember to run Spinnaker services with IAM roles that allow them to read that content.

Storing secrets

Storing credentials

Store your GitHub credentials in mybucket/spinnaker-secrets.yml:

github:
  password: <PASSWORD>
  token: <TOKEN>

Note: You could choose to store the password under different keys than github.password and github.token. You’d just need to change how to reference the secret further down.

Storing sensitive files

Some Spinnaker configuration uses information stored as files. For example, upload the kubeconfig file of your Kubernetes account directly to mybucket/mykubeconfig:

aws s3 cp /path/to/mykubeconfig s3://mybucket/mykubeconfig

Referencing secrets

Now that secrets are safely stored in the bucket, you reference them from your config files using the following format. The S3 specific parameters (r:<region>, b:<bucket>, k:<optional yaml key>) can be in any order: To reference secret literal values:

encrypted:s3!r:<region>!b:<bucket>!f:<path to file>!k:<optional yaml key>

To reference secret files:

encryptedFile:s3!b:<bucket>!f:<path to file>

The k:<key> parameter is only necessary when storing secret values in a yaml file, like in our example. To reference github.password from the file above, use:

encrypted:s3!b:mybucket!f:spinnaker-secrets.yml!r:us-west-2!k:github.password

But to reference your kubeconfig file, you can leave off the k parameter and use encryptedFile prefix:

encrypted:s3!r:us-west-2!b:mybucket!f:mykubeconfig
encryptedFile:s3!r:us-west-2!b:mybucket!f:mykubeconfig