Manage Secrets for Technology Deployments

Depending on the architecture, integration, and dependencies of your application, various kinds of secrets are required for the technology or the application to work fine. These secrets include database credentials, API keys, encryption keys, authentication tokens, certificates, and access tokens, among others. As a standard security practice, such secrets are stored in a secrets management tool like HashiCorp Vault or AWS Secrets Manager. When you deploy your application in the deployment workflow of the Calibo Accelerate platform, you can choose to inject these secrets at runtime, instead of hard-coding them directly into the application code or configuration files.

On the Manage Secrets tab of the deployment workflow within a stage, you can save the details related to the secrets that you want to dynamically inject at runtime. On the Deployment tab, when you add and deploy technologies on your Docker container or Kubernetes cluster, you can select a secret to be injected from the list of saved secrets.

Depending on your preferred deployment mode, refer to the following sections:

Managing Secrets for Technology Deployments on Kubernetes Cluster

Managing secrets for Kubernetes deployments involves configuring the details of a secret on the Manage Secrets tab of a deployment workflow and enabling HashiCorp secret injection during technology deployment.

Prerequisites

Before you use the secret injection feature in the deployment workflow, make sure that you complete the following prerequisites on the Kubernetes cluster where you want to deploy technologies or applications.

Configuring Secrets in Calibo Accelerate platform

    On the Manage Secrets tab in a stage in the deployment workflow, you can configure the details of the secrets that you want to dynamically inject into your application at runtime. Currently, we support secret injection from HashiCorp Vault.

    To configure your HashiCorp Vault secrets for your Kubernetes deployments from within the Calibo Accelerate platform, do the following:

    1. Go to the stage in the deployment workflow of a product feature where you want to add and deploy technologies.

    2. On the Manage Secrets tab, click Add to configure the details of your HashiCorp Vault secret.

      Adding details of secret to be injecrted

    3. In the Add Secret side drawer, enter the following details:

      • Secret Name: Provide the name of the secret stored in Vault.

      • Secret Management Tool: Select HashiCorp Vault.

      • Deployment Mode: Choose Kubernetes.

      • Path: Specify the path to the secret in HashiCorp Vault, for example, /dev/apps/mysecrets.

        Configuring HashiCorp Vault secret details

    4. Save the configured details.

      Your configured secret is listed and ready to be used during the deployment of your technology within the Calibo Accelerate platform. You can edit or delete it any time as required.

    Enabling Secret Injection During Technology Deployment on Kubernetes

    When you add a technology to be deployed in your configured Kubernetes cluster, you can choose to inject a pre-configured secret from HashiCorp Vault. To use the secret injection option, do the following:

    1. Go to the stage in the deployment workflow of a product feature where you want to add and deploy technologies.

    2. On the Deployment tab, go to the Kubernetes Clusters deployment option.

    3. On your configured running Kubernetes cluster, configure an ingress controller by following the on-screen instructions. Ingress controller simplifies the management of external traffic, enhances security, and enables you to configure routing rules for your services within a Kubernetes cluster. It is a fundamental component of exposing and managing Kubernetes workloads to the internet or other external networks.

    4. Click Add Technologies, and add the desired technology.

      Adding desired technology for Kubernetes deployment

    5. Provide all the technology details such as the desired source code branch, Kubernetes cluster namespace where you want to deploy the technology, context path, and port number.

    6. In the Deployment Configuration section, configure the following details:

      • Replicas: The number of replicas (copies) of your application that should be running simultaneously.

      • Resource Requests: Parameters to specify the minimum amount of resources (memory and CPU) that each pod of your application requests from the cluster.

      • Resource Limits: Resource limits set an upper bound on the amount of resources (memory and CPU) that each pod of your application can consume. Limits are essential for resource isolation and preventing a single pod from monopolizing resources and affecting the performance of other applications on the same node.

    7. To execute functional testing of the technology that is being deployed, turn on the Functional Testing toggle. Select the desired testing tool from the list and provide the details such as desired browser, test case repository URL, test case repository branch, and test case command. This is optional.

    8. To inject a secret into your application at runtime, select the Do you want to inject secret? box. This option is visible only when you have at least one secret configured on the Manage Secrets tab of your deployment workflow.

      See Configuring HashiCorp Vault Secrets in Calibo Accelerate Platform.

      Provide the following details:

      • Role Name: Enter your HashiCorp Vault role, which is associated with the Kubernetes service account you use for technology deployment.

      • Service Account: Enter the name of your Kubernetes service account that you use to deploy technologies.

      • Secret Name: Select the desired secret from the list of secrets that you have configured on the Manage Secrets tab.

      • File Name: Provide the name of the file which is loaded into your Kubernetes pod. Secrets are injected into this file at runtime during the deployment of a technology.

        Click +Add.

        Specify secret details for injection

    9. Click Add to save the technology details you provided.

      Add technology details for Kubernetes deployment

      With this, your technology is ready to be deployed. You can edit the technology details if required. Click Deploy in the upper right corner. As soon as the deployment starts, you can view the progress of the deployment on the CI/CD Pipeline tab.

    Managing Secrets for Technology Deployments on Docker Container

    Managing secrets for Docker deployments involves configuring the details of a secret on the Manage Secrets tab of a deployment workflow and enabling HashiCorp secret injection during technology deployment.

    Prerequisites

    • Install and configure HashiCorp Vault Plugin in your Jenkins instance.

    • The authentication token must have the necessary permissions to retrieve (read) information from specific paths or locations within HashiCorp Vault.

    Configuring Secrets in Calibo Accelerate platform

    To configure your HashiCorp Vault secrets for your Docker deployments from within the Calibo Accelerate platform, do the following:

    1. Go to the stage in the deployment workflow of a product feature where you want to add and deploy technologies.

    2. On the Manage Secrets tab, click Add to configure the details of your HashiCorp Vault secret.

      Adding details of secret to be injecrted

    3. In the Add Secret side drawer, enter the following details:

      • Secret Name: Provide the name of the secret stored in Vault.

      • Secret Management Tool: Select HashiCorp Vault.

      • Deployment Mode: Choose Docker.

      • URL: Provide your HashiCorp Vault URL.

      • Cred ID: Specify the Jenkins credential ID which contains the Vault token.

      • Path: Specify the path to the secret in HashiCorp Vault. For example, you might store a database password at /dev/apps/mysecrets/db-password.

      • Keys: Specify the secret keys that you want to use during technology deployment.

        Configuring HashiCorp Vault secret details foe Docker deployment

Enabling Secret Injection During Technology Deployment on Docker

When you add a technology to be deployed in your configured Docker container, you can choose to inject a pre-configured secret from HashiCorp Vault. To use the secret injection option, do the following:

  1. Go to the stage in the deployment workflow of a product feature where you want to add and deploy technologies.

  2. On the Deployment tab, go to the Docker Container deployment option.

  3. Add and configure a cloud instance. This instance is created in your cloud service provider account pre-configured in the Calibo Accelerate platform by your administrator.

    Creating cloud instance for technology deployment

  4. Click Add Technologies, and add the desired technology. The technologies that you add and configure in the Develop phase of feature development are listed here.

    Adding desired technology for Docker deployment

  5. Provide all the technology details such as the desired source code branch, context path, and the port number on which your container will listen for incoming network connections..

  6. To execute functional testing of the technology that is being deployed, turn on the Functional Testing toggle. Select the desired testing tool from the list and provide the details such as desired browser, test case repository URL, test case repository branch, and test case command. This is optional.

  7. To inject a secret into your application at runtime, select the Do you want to inject secret? box. This option is visible only when you have at least one secret configured on the Manage Secrets tab of your deployment workflow.

    See Configuring HashiCorp Vault Secrets in Calibo Accelerate Platform.

    Provide the following details:

    • Secret Name: Select the desired secret from the list of secrets that you have configured on the Manage Secrets tab.

    • Path: The path to the selected secret in HashiCorp Vault is auto-populated.

    • Keys: Select which keys from the stored secret data you want to inject during technology deployment. You may want to map a key with an environment variable where the secret value you want to inject is available.

      Note:

      The values 'user' and 'passwd' are not allowed as the environment variables.

  8. Click Add to save the technology details.

    Add technology details for Docker deployment

    With this, your technology is ready to be deployed. You can edit the technology details if required. Click Deploy in the upper right corner. As soon as the deployment starts, you can view the progress of the deployment on the CI/CD Pipeline tab.