Hi. We successfully store secrets in ansible variables files with either ansible-vault or sops. It is a good approach when Ansible itself configures something that requires a secret, such as configuring a database admin password.

But I’d like to ask you about how you store secrets meant to be used by applications. Example: we have a an application in PHP with a config.php file with all credentials needed by the application. Developers have a config.php setup to work with the test environment, while we maintain a different config.php for production in production machines. Nowadays this config.php file is stored in ansible repository, encrypted by ansible-vault or sops. We thought about moving the config.php production file to the application repository, so we could get advantage of the CI/CD pipeline.

It doesn’t smell right, because it would require to encrypt it somehow, and store keys to decrypt it in CI/CD, but I decided to ask you anyway what do you think of that and how you solved it yourselves.

Thanks!

  • steph@lemmy.clueware.org
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    Secrets don’t belong anywhere inside an application code. They’re related to the runtime environnement - 'cause you don’t use the same password for production and integration, right? - and should come from an external configuration source. That might be as simple as environment variables.

    Application deployment should never require modification of a file that resides inside the application itself. PHP and other interpreted languages has a tendancy to promote laziness when it comes to proper release management.

    And don’t start with “but it makes development complicated”: fix your onboarding and then tooling instead of putting the security of your users and customers at risk.