fnaranjo-vmw
commented
1 year ago The reason why we are interested in this feature is because my team is harnessing var_sources, set_pipeline: self and a custom task to have self-setting pipelines without human intervention.
You can find a example of this idea in the repo: https://github.com/fnaranjo-vmw/self-setting-pipeline-with-secrets/
It may seem useless at first to enable secret redaction without a cluster-wide credential manager, however with the addition of
var_sourcesthis is not necessarily true anymore.It is possible to harness the
dummytype forvar_sourcesand get proper secret redaction in Concourse logs. See Examples section from official docs.WARNING: this method does not replace the use of a credential-manager. Anyone with permission to run
fly get-pipelinewill be able to see your secrets in plain text. However, I believe this method provides a security improvement at a relatively small cost - (it can affect performance).