Skip to content

Configure Kubernetes app secrets as variables for Auto DevOps Apps

Problem to solve

Currently, there is no way to make secrets available to an auto devops application running in a k8s cluster.

Further details

For example I may need to configure my rails application to have some secret API token for a 3rd party email sending service. I would prefer not to commit this secret to the repo as this violates 12 factor principles as well as probably violates some security best practices.

Maybe phrased as a user user story:

As an operator I'd like to be able to configure a deployed application with secret variables without this being visible to developers that write the code.

Possibly we need a new interface for this or maybe we can leverage our CI secret variables.

Proposal

  1. Update documentation to reflect new prefixed variable option and link within the UI. Prefix with K8S_SECRET_

  2. Update descriptive text within the UI:

Variables

Variables are applied to environments via the runner. They can be protected by only exposing them to protected branches or tags. You can use variables for things like passwords, secret keys, or credentials. You may also add variables that are made available to the running application. More information

  1. In CI we ensure the variables with the relevant prefix name are passed to the running app as env vars with the prefix stripped off

image

Previous Proposal 01

Proposal

Leveraging existing variables (project settings >> CI/CD >> variables) allow user to define these variables in a new section, where the variables are only to be used for app running in the cluster (the auto devops app).

  1. We store these new variables in a new model in our backend (really simple new table)

  2. When created we create the Secret in K8s

  3. We pass a new variable to CI jobs called APP_SECRETS which is a comma separated list of the variables (names only) that need to be mounted in the helm chart

ce ee
ci-cd-settings__variables--ce ci-cd-settings__variables--ee

Only variables defined in the new section would be passed to the application running in the cluster.

Previous Proposal 02

These can then be configured for the application in a couple of ways:

  1. Environment variables included in pod definition
  2. Even better we could make use of kubernetes secrets. Per those docs these can be provided as files in the pod or as environment variables in the pod.

Links

What does success look like, and how can we measure that?

(If no way to measure success, link to an issue that will implement a way to measure this)

Links / references

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited by 🤖 GitLab Bot 🤖