autopilotpattern / jenkins

Extension of official Jenkins Docker image that supports Joyent's Triton for elastic slave provisioning
43 stars 10 forks source link

Secrets management support #7

Open tgross opened 8 years ago

tgross commented 8 years ago

Currently we inject secrets into the Jenkins container via environment variables in the setup script:

# munge the private key so that we can pass it into an env var sanely
# and then unmunge it in our startup script
echo PRIVATE_KEY=$(cat ${DOCKER_CERT_PATH}/key.pem | tr '\n' '#') >> _env
echo 'Edit the _env file to include a JENKINS_PASSWD and GITHUB_* config'

This blueprint can be a first use case for implementing secrets management via Vault. Although supporting secure injection for launching production containers requires the help of a scheduler, we can get away without that in the case of a one-off container like a Jenkins master. This will let us build an example workflow for secrets management that we can then enhance when Mariposa is completed.

tgross commented 7 years ago

Just for record, the initial implementation of doing this will be in https://github.com/joyent/product-automation (private) which we'll be using for CI/CD on Joyent.com. I'll work thru backporting that into this repo once that work is done and stable and tested.