Concourse and Secret Management
This page was converted from my old blog and hasn't been reviewed. If you see an error please let me know in the comments.
One aspect of creating good CI/CD pipelines is the management of passwords and other credentials required for deployment.
A typical concourse pipeline will poll for updates in a git repo, do a build and then push the results to a PaaS such as Kubernetes or Cloud Foundry.
A Working Example.
For this example, we will use bucc
. bucc
is an all in one deployment of Bosh, UAA, Credhub, and Concourse. If you don’t have access to a working Concourse/Credhub environment, this is an excellent place to start.
Adding a secret to Concourse.
Concourse will retrieve credentials from Credhub by looking them up based on their path.
1/concourse/TEAM_NAME/PIPELINE_NAME/s3-password
2/concourse/TEAM_NAME/s3-password
Global credentials for a team can be placed directly under the team name. Credentials for a specific pipeline can be organized under the team name/pipeline name.
1-> credhub set -n /concourse/main/cf-password --type value --value foobar
2id: 1fc1da07-4938-47d8-a7c4-1f442a61dc33
3name: /concourse/main/cf-password
4type: value
5value: <redacted>
6version_created_at: "2019-03-15T15:07:00Z"
Properties can be referenced in a pipeline using standard property replacement in Concourse
1---
2jobs:
3- name: job-hello-world
4 public: true
5 plan:
6 - task: hello-world
7 config:
8 platform: linux
9 image_resource:
10 type: docker-image
11 source: {repository: busybox}
12 run:
13 path: env
14 params:
15 CF_PASSWD: ((cf-password))
Running this job should reveal the password.
1PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
2HOME=/root
3CAT_NAME=foobar
4USER=root
Using other Secret types.
Credhub can store other types of secrets besides just key-value pairs. Examples include SSH keys, JSON structures, and Certificates. A complete list of types are available here.
An SSH Key contains two parts. public_key
and private_key
. It can be imported as follows.
credhub set --type ssh --name /concourse/main/ssh -p '-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAwGwcKp6LJqCmwz63HKGjhDhrsHJbn/bnWnvSE0oqPCic/LnA\ncY0qlvs4DbV+a7fYRDpvYfVAGQj277CkCnoEWKc6meiH+1PHcLJdOhKWSHNSkZrA\ntQ1Wb6MsVpXejpo4YzIiyLzaW4sXmz0bhxdkPWLRQAKr34fKJ27rOIJXDFTR1Bt8\nzz0As0R72R11o2GcnVjarR/3TAK+/ADkzAPrMMz9o+1J1wZD2YNBANs1dPh/IxZZ\nwWfqwc7JXCYKVFB+Xt7UpAam5UYt8gQ0lJnnNU5+TUhaUU5LenwNANmG4tLUHzqy\nYkUtSPhJ/BbNjYlKUnsN72ystrqPkmDPDP6g+wIDAQABAoIBAHwONyqTBItmz5zY\n9h0TaOR5q5QaZk//UrDXW1zsV8ZpOK0G5LdQl8C3PjA4bsTrxhZWxjCVeTmquelW\nLKxEdkDhr7pCXEkAfnh9xfUGvrT/BKCy8MLJUoyu2osIHHA7pVbun9ZjSzPxvMps\n3y59OjcJWna2QjDezsoVjLjl71EWz3Bk42gwZ3b4bBGlAgSgssL78E5xU9sYLGQP\ntKDsfU4OOB2VSdDsqpOiYyc5246GG8bbSmxbkmtWqL42iUvlnQptNanHAjphPWC+\nIFakDW8pugjFoGOpDW6jnzZEqEywFtmvpXd6jLeBKjBc6vtPODWbNN0fARdwo/An\noRPl6sECgYEA64eLHT3RMlMRxfjEKk3mQe8+qAVU5L92rzWgR9qgvANNlb4RFONU\nuwOzG9Tkv/vtWcR70LQY5KN2hJixCs1DyJgfPWIzrR6iPhc6aN4r48SjygDhFlPw\no6+qBpliHSNKSUao0u3+Bdk2LcYfqfXU+qjGKCXpl+t09W+/M2W3r0kCgYEA0SVy\nIOmjvm69dvj9ZSi6AbzSOP2gKWBXYG3qxpNlLq121mnEBf6JNagyKTvITCxT9bd0\n8DNYrVN8nxWF3nrROvmCGtBTNLVW5MRZYoBh0o/Qh1nCXCUODy7Vhyf4WtXNsGyu\nq3lqcJdZA791gdGpk+e6miuYFH0HcRNRKa0yWiMCgYBgvS1wd0GDcAcuzzyTO6fF\nkSSlEnuJ8PIoiNgqayv1zU2CoayWbcERhzV7yvehuzID2uYYFMDcuB8n2ydsjl62\n93RtW/Zpttlgs120UPyp8sxrXe0VpKiEMtSdHUblPOd4LWOOL15UvKC6MFQ1FNnD\nkqrBNsE5OuaxIJLh43eMsQKBgCCkvJSAgws1E6NfJ4XDfozI4PL+OyJaJCkr3soR\ntWg8sOC0b2EUImxajUG8T/37qTsf4EOhcATVlAzsehGIj+GpkfIHdAU1DJP2RZFH\nQn1v7vdBPkHNks0x3SgUSAI9frY7sGOZNtDN/pnEJ14U0GgCcjCf/0OrZB71CeT8\nYHCLAoGBAKY+kEMkX3drGj4BtCtJgt6nv3KZ/j7GJTl8M+brhBjH0fCtuZJgg7sP\nhukUE4Yb/qd1zLnFmUfepikow2qKhVzzdOhsdIR44BagqJzAS2jEkV/0m5PEABr3\nhfIpaY7w/RZ4Uid/5qGrJSWQnh00c+VqvVSCbfqnIeM4lwp9+slY\n-----END RSA PRIVATE KEY-----\n' -u 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAbBwqnosmoKbDPrccoaOEOGuwcluf9udae9ITSio8KJz8ucBxjSqW+zgNtX5rt9hEOm9h9UAZCPbvsKQKegRYpzqZ6If7U8dwsl06EpZIc1KRmsC1DVZvoyxWld6OmjhjMiLIvNpbixebPRuHF2Q9YtFAAqvfh8onbus4glcMVNHUG3zPPQCzRHvZHXWjYZydWNqtH/dMAr78AOTMA+swzP2j7UnXBkPZg0EA2zV0+H8jFlnBZ+rBzslcJgpUUH5e3tSkBqblRi3yBDSUmec1Tn5NSFpRTkt6fA0A2Ybi0tQfOrJiRS1I+En8Fs2NiUpSew3vbKy2uo+SYM8M/qD7'
You can now access the ssh key in your script.
1---
2jobs:
3- name: job-hello-world
4 public: true
5 plan:
6 - task: hello-world
7 config:
8 platform: linux
9 image_resource:
10 type: docker-image
11 source: {repository: busybox}
12 run:
13 path: env
14 params:
15 CAT_NAME: ((ssh.private_key))
- You must flatten the key to a single line before importing it.
1awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' key.txt
alternatively you can pass a file containing the key to import.
Using SSH keys
A typical use case in concourse is polling git for updated commits.
1---
2resources:
3- name: my-project-resource
4 type: git
5 source:
6 uri: git@github.com:concourse/git-resource.git
7 branch: master
8 private_key: ((ssh.private_key))
9
10jobs:
11- name: my-project-resource
12 public: true
13 plan:
14 - get: resource-tutorial
15 trigger: true
Generating Secrets
In addition to storing secrets, Credhub can be used to generate them.
- Generate a new SSH key pair
1credhub generate -t ssh --name /concourse/main/testssh
- retrieve the public key
1credhub get --name testssh2 --output-json | jq .value.public_key