HashiCorp Vault is a secret and encryption management system that allows your organization to secure sensitive information such as API keys, certificates, and passwords. In this article, I will show how a NodeJS Express web application deployed into a Kubernetes cluster can fetch a secret directly from the Vault server using the node-vault module. This … Vault: NodeJS Express web app using node-vault to fetch secrets
If you have a previous investment in Ansible Configuration Management for command line automation, you may now want to invoke that same logic from a GitLab CI/CD pipeline. The cleanest way to provide Ansible to a pipeline job is to create a custom Docker image that contains all the Ansible binaries and required Galaxy modules. … GitLab: invoking Ansible from a GitLab pipeline job
If you need to copy a secret from one namespace to another, you will get an error because the ‘namespace’ is still embedded in the yaml and cannot be overridden with the final apply. By using a sed replacement as a filter, you can do a quick transformation and get your desired result. Below is … Kubernetes: copying a secret from one namespace to another
If you accidentally pushed a secret or password into a git repository, the BFG Repo-Clean utility is a convenient option for removing all traces of the secret from the entire git commit history. It is also possible to use ‘git-filter-branch‘, but I find BFG more convenient and faster.
If you currently store sensitive credentials in plaintext to automate scripting or integration to other systems, you should consider an extra layer of security by storing them encrypted using GPG. There is no fullproof way to hide sensitive information for a service that also needs to decrypt them as part of normal operations (think DVD … Linux: Using GPG encrypted credentials for enhanced security
When automating software and infrastructure, it is not uncommon to need to supply a user id and password for installation or other operations. While it is certainly possible to pass these plaintext credentials directly in the state, this is not best practice. # not best practice!!! testdb_user: mysql_user.present: – name: frank – password: “test3rdb” – … SaltStack: Keeping Salt Pillar data encrypted using GPG