Secrets
Secrets in Orkestra relies on the Kubernetes Secrets. As this is already implemented we thought there is no need to add an Orkestra specific implementation.
Secrets as Environment Variables
On Kubernetes we most commonly use secrets as environment variables.
First we need to create the secret on Kubernetes, then pass the secret to the container, all of that is well explained
in the documentation of Kubernetes Secrets.
Then we can access the secret safely with the Secrets
utility object which will make sure the secrets are not saved in
the logs:
import tech.orkestra.utils.Secrets
val slackToken = Secrets.get("SLACK_TOKEN").getOrElse("not set")
println(s"Look at my secret Slack token: $slackToken!")
This will print Look at my secret Slack token: **********!
in the logs.
Attention: Do not use the Scala sys.env.get()
or the Java System.getEnv()
as these will not prevent the secret to be
logged.
Secrets as Files
You might want to use for example an SSH key file as a Secret. We usually mount the secret in a file under
/opt/docker/secrets/ssh
and then access it via this path:
sh(s"ansible-playbook some-playbook.yml --private-key /opt/docker/secrets/ssh")