Secrets
Learn how to use secrets in your custom pipeline configuration
When creating custom pipelines you may have settings that you don't want to store in plain text or share with other users of the pipeline. A good way to prevent this is by using secrets within Calyptia Core.
Secrets within Calyptia Core are stored per pipeline and referenced in configuration paths by using brackets. For example a secret that looks like the following:
Can be referenced in a configuration as {{ secrets.key }}.
Create a secret
Within the Pipeline Overview page, you can navigate to the Advanced Settings page to modify and add secrets.
The following example demonstrates how to create the previously described secret file with the user interface:
Update a secret with a new value
You can update a secret by select update within the Advanced Settings page.
Secrets can be edited only with a new value, and previous values are neither displayed nor stored.
Secret storage
Calyptia Core stores all the secrets encrypted using RSA public key cryptography.
Each deployment of Calyptia Core has its unique key pair (private and public) generated when the new instance registers. Calyptia Cloud does not store this private key on any form.
When a new instance of Calyptia Core gets registered, a new unique key pair is generated and the private key is stored in your operating environment. When a pipeline is deployed or updated and it requires a secret, that secret is fetched encrypted from Calyptia Core and decrypted by the keys within your environment using the in-memory private RSA key.
The following diagrams illustrate the secret generation and usage:
Calyptia CLI
To reference secrets in Calyptia CLI, you must create a new file in your local environment and then add it within your configuration. For example, in the pipeline-es.conf
file, you don't want to specify HTTP_Passwd
in plain text. Instead, use a secret with the variable es_http_passwd
. This variable is defined in the following secrets.env
file:
pipeline-es.conf
Now you need to define them in another file (secrets.env
):
Create a pipeline with a secret
When creating a pipeline, you must specify --secrets-file
so that the pipeline configuration will be able to use them. The command for that is:
Replace CORE_INSTANCE
with the unique ID or name of the Calyptia Core instance.
Update a secret's value
If you need to update a secret, you can update the secret by first listing all secrets, and then updating the secret with new values.
List all the secrets from a pipeline:
The output is similar to the following:
You can take the secret ID and use it to update its value:
Last updated