Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Keep gitlab CI/CD variables secret in public repository

I have a private project on Gitlab with CI/CD set up to push/pull docker images from Google Container Registry and to deploy my software to Kubernetes Engine in GCP.

Is there a way to make my project public without worrying about the secrets used to connect to GCP getting leaked? In particular, I'm worried that when my repository is public anyone would be able to add a line like echo $GCP_REPOSITORY_SECRET somewhere in the .gitlab-ci.yml file, push their branch and view the output of the CI to "discover" my secret. Does Gitlab have a mechanism to prevent this? More fundamentally, are there best practices to keep deployment secrets secret for public repositories?

like image 870
Paymahn Moghadasian Avatar asked Nov 10 '18 22:11

Paymahn Moghadasian


People also ask

Where are GitLab variables stored?

The variables can be stored in the project/group/instance settings and be made available to jobs in pipelines.

What is secret detection GitLab?

all tiers. Moved from GitLab Ultimate to GitLab Free in 13.3. A recurring problem when developing applications is that people may accidentally commit secrets to their remote Git repositories. Secrets include keys, passwords, API tokens, and other sensitive information.


2 Answers

More fundamentally, are there best practices to keep deployment secrets secret for public repositories?

Yes, don't have any sensitive data in it. Ever.

At the GCP level, the secret management options are listed here.

When connecting a GitLab-CI to GCP, you can see the security implication here, which uses kubectl get secret <secret name> -o jsonpath="{['data']['ca\.crt']}" | base64 -D, with the right account and RBAC.

The whole cluster security is based on a model where developers are trusted, so only trusted users should be allowed to control your clusters.


Note that GitLab 11.7 (January 2019) allows for:

Configure Kubernetes app secrets as variables for Auto DevOps pipelines

Operators and administrators require that the configuration of secrets takes place outside the application’s repository to reduce risk and exposure of sensitive data.
To address this need, GitLab now offers the ability to configure secrets as environment variables that are made available to the Auto DevOps application running in your Kubernetes cluster.

https://about.gitlab.com/images/11_7/autodevops-secrets.png

Simply prepend your variable with K8S_SECRET_ and the relevant Auto DevOps CI pipeline will take your application secret variable to populate a Kubernetes secret.

like image 102
VonC Avatar answered Nov 15 '22 11:11

VonC


Masked variables are ridiculously easy to unmask...

echo ${MASKED_VARIABLE::1} ${MASKED_VARIABLE:1} // mind the gap \!

You may want to PROTECT them instead; AND, make sure that only truly trusted devs can push to your protected branches.

like image 42
notGitLab Avatar answered Nov 15 '22 09:11

notGitLab