Menu
I am wondering if it's possible to store credentials like passwords, tokens and keys safely in my GitLab project.
Currently there are a bunch of Java files with some passwords stored in it for testing purposes. However, I don't want to push this information on my repo due to security reasons. I tried using environment variables in the project, but they only seem to work for the .gitlab-ci.yml file.
My question is does anyone use a vault like Hashicorps or Blackbox to encrypt sensitive information?
Thanks
280
Manage secrets through HashiCorp Vault and GitLab CI GitLab CI/CD integrates with HashiCorp Vault to support advanced secrets management use cases. You can combine the K8S_SECRET_ prefixed use case even with Vault-based secrets, and have the secrets applied automatically.
GitLab stores user passwords in a hashed format to prevent passwords from being stored as plain text. GitLab uses the Devise authentication library to hash user passwords. Created password hashes have these attributes: Hashing: The bcrypt hashing function is used to generate the hash of the provided password.
The mistake that many programmers (even experienced ones) make is to store secrets together with their code, checking them into source control (like Git). This is certainly the easiest, most convenient way to deal with the problem, but it's a rather bad idea. In short, don't store your secrets in Git!
To avoid doing that, you can use the Secret Manager. The Secret Manager tool stores sensitive data in a JSON file under %appdata% , so you are sure to not commit them. It works the same as the appsettings. json file at the root of your project.
You can check out GitLab 12.9 (March 2020) which comes with:
HashiCorp Vault GitLab CI/CD Managed Application
GitLab wants to make it easy for users to have modern secrets management. We are now offering users the ability to install Vault within a Kubernetes cluster as part of the GitLab CI managed application process.
This will support the secure management of keys, tokens, and other secrets at the project level in a Helm chart installation.
See documentation and issue.
See also GitLab 13.4 (September 2020)
For Premium/Silver only:
Use HashiCorp Vault secrets in CI jobs
In GitLab 12.10, GitLab introduced functionality for GitLab Runner to fetch and inject secrets into CI jobs. GitLab is now expanding the JWT Vault Authentication method by building a new
secretssyntax in the.gitlab-ci.ymlfile. This makes it easier for you to configure and use HashiCorp Vault with GitLab.https://about.gitlab.com/images/13_4/vault_ci.png -- Use HashiCorp Vault secrets in CI jobs
See Documentation and Issue.
85
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
