.svg)
While the whole DevOps practices talk about automation and speed, it is also important to ensure that security is taken care of. Most organizations that ignored security are now rethinking it and embracing the DevSecOps principles of shifting left and adding security checkpoints at every step of the CI/CD pipeline. Security is getting more attention as it gets the highest points when considering any tool. Hence, security professionals are in high demand to ensure the systems and processes work as expected without getting attacked by hackers and security vulnerabilities. The software delivery pipeline consists of a CI/CD pipeline that requires a lot of connections from third-party tools for a smooth software delivery workflow. These external tools and platforms, such as your Docker Hub, Artifactory, Cloud providers, Security testing tools, etc, are connected to your CI/CD pipeline through secrets.
Storing and managing these secrets is crucial so the credentials are not compromised. It is also one of the essential and basic traits when considering a CI/CD platform to understand how the secrets are managed securely.
Today, we will see how secrets are managed in the Harness platform.
Secrets management in the context of DevOps refers to securely storing and managing sensitive information such as passwords, API keys, database credentials, and other secrets used in the software development and deployment process. These secrets are typically required by various components of an application, including infrastructure configuration, code repositories, build scripts, deployment pipelines, and runtime environments.
The goal of secrets management is to protect sensitive information from unauthorized access, misuse, or exposure, while still providing controlled access to authorized users, processes, or systems. In a DevOps and CI/CD environment, secrets management becomes crucial because automation tools and processes often require access to these secrets to perform tasks such as building, testing, and deploying applications.
Secrets are integral to a CI/CD pipeline and can be present at every step, from code to deployment environment. In a typical CI/CD workflow, a developer pushes his/her code to a source control management (SCM) tool like GitHub or BitBucket, and then a continuous integration (CI) tool gets triggered, where it builds and tests the code. Next, the artifacts get created and pushed to a repository, where an artifact repository connector is required. Then the code gets deployed to production, and you need to connect the cloud provider or wherever you are deploying the code (the target environment). Finally, the monitoring tool gets connected to the CI/CD pipeline for observability purposes to keep the application running as expected.
In a typical CI/CD workflow/pipeline, these types of connectors are involved where managing secrets is very important.
Managing secrets in a DevOps pipeline poses significant challenges in today's technology landscape. One of the primary concerns revolves around maintaining the security and integrity of sensitive information, such as API keys, passwords, and encryption keys, throughout the development and deployment processes. As DevOps emphasizes rapid and continuous delivery, secrets management becomes crucial to prevent unauthorized access and data breaches. Additionally, the distributed nature of DevOps, with multiple teams and various tools involved, adds complexity to secret distribution, rotation, and revocation. Ensuring proper access controls and permissions across different environments, including development, staging, and production, further compounds the challenges.
Addressing these challenges requires a combination of robust security practices, effective access controls, automation, and secure secret management solutions.
You can manage your secrets in Harness using a key management service (KMS) or a third-party secret manager. Google Cloud Key Management Service is the default Secret Manager in Harness and is named Harness Secret Manager Google KMS.
The Key Management Service (Google Cloud KMS or AWS KMS) only stores the key. Harness uses envelope encryption to encrypt and decrypt secrets. The encrypted secret and the encrypted Data Encryption Key (used for envelope encryption) are stored in the Harness database.
You can also use third-party Secret Managers, for example, HashiCorp Vault, Azure Key Vault, and AWS Secrets Manager.
These Secret Managers store the key, perform encryption and decryption, and also store the secrets (encrypted key pair). Neither the keys nor the secrets are stored in the Harness database. A reference to the secret is stored in the Harness database.
Go to your project and click on ‘Connectors’
Click on the ‘New Connector’, and you will be presented with all the possible secret managers present.
Click on the ‘GCP KMS’ and continue. Mention a name and start adding the details.
Go to your GCP console and click on ‘Security’ and then ‘Key Management’.
Create a key ring and open the Actions menu (⋮), then click Copy Resource Name.
[Each KMS [key management system] is a little different. Google KMS follows this pattern for folks to retrieve the key]
A reference to the key is now on your clipboard.
Paste the reference into an editor.
You can now copy and paste its substrings into each of the Harness Secret Manager’s Details settings as shown below.
Next, you need to attach the GCP KMS Credentials File.
You can follow this guide and connect your GCP KMS to Harness.
Similarly, you can add
You can also add encrypted test secrets, file secrets or SSH keys to reference in your CI/CD pipeline. Harness includes a built-in Secrets Management feature that enables you to store encrypted secrets, such as access keys, and use them in your Harness connectors and pipelines.
This is how we add our GitHub Personal Access Token, Docker Hub credentials, Database connection string, etc.
One thing to note here is that you need to make sure that your Delegate is up and running.
Harness Delegate is a service you run in your local network or VPC to connect your artifacts, infrastructure, collaboration, verification, and other providers, with Harness Manager. The first time you connect Harness to a third-party resource, Harness Delegate is installed in your target infrastructure, for example, a Kubernetes cluster. Know more about Harness Delegate here.
When you want to connect your Docker Hub to Harness, this is the step you need to take.
Click on the new connector and then select ‘Docker Registry’ from the list.
Mention a name and continue.
Next, you will add the Docker Registry URL and authenticate with your Docker Hub credentials as shown in the screenshot below.
If you see, the password is using an encrypted text secret that nobody can see.
Finally, you will make sure to connect this with Harness Delegate.
You need to make sure that the connection between your Docker Hub and Delegate is successful.
This is how secrets are used and managed at Harness. You can also add and store SSH keys securely in Harness.
Sign up for our free plan, start building and deploying with Harness, take your software delivery to the next level.
Learn intelligent software delivery at your own pace. Step-by-step tutorials, videos, and reference docs to help you deliver customer happiness.
.svg){kind=small}
Learn intelligent software delivery at your own pace. Step-by-step tutorials, videos, and reference docs to help you deliver customer happiness.
Enjoyed reading this blog post or have questions or feedback?
Share your thoughts by creating a new topic in the Harness community forum.
