Secrets Management:
Keeping Secrets Secret
Your secrets are in another castle, and that’s okay.
Secrets Management:
The Problem
Passwords and tokens (aka secrets) are a fact of life in software development, and operating Spinnaker involves managing configs with lots and lots of secrets.
Sharing Spinnaker configs in Git repos is ideal for source control repeatability and maintainability, but risks exposing your secrets to the world without a proper secrets management solution.
The Solution
With Armory Secrets Management, keep Spinnaker configuration files in source control while protecting secrets with a secret store, such as Vault.
Instead of committing your secrets in plain text to source control, Secrets Management allows you to commit only the location of a secret in a secret store to your configuration files. You can then automatically decrypt secrets at the point of use, and audit their use with your secret store’s logs.
How Armory Secrets Management Works
Spinnaker users simply replace the secret value in their halconfig and/or service yamls with a syntax (described here and here) that tells Spinnaker where to fetch the secret. It’s as easy as that!
Armory’s Secrets Management currently supports encrypted S3 Buckets and Vault.
You can read more about the Armory Secrets Management here.
github:
enabled: true
accounts:
name: github
username: github-user
password: encrypted:vault!e:secret!p:spinnaker/github!k:password