Auto-sync: update nexus workspace
This commit is contained in:
110
wiki/concepts/CI-CD-Secrets.md
Normal file
110
wiki/concepts/CI-CD-Secrets.md
Normal file
@@ -0,0 +1,110 @@
|
||||
---
|
||||
title: "CI/CD-Secrets"
|
||||
type: concept
|
||||
tags:
|
||||
- CI/CD
|
||||
- Security
|
||||
- DevOps
|
||||
- Cloud
|
||||
---
|
||||
|
||||
## Definition
|
||||
|
||||
CI/CD Secrets 是指在持续集成/持续部署(CI/CD)流水线中管理敏感信息(密码、API Key、证书、私钥等)的最佳实践。传统 CI/CD 流程中这些 secrets 通常以明文形式硬编码在配置文件、环境变量或脚本中,造成严重的安全风险。
|
||||
|
||||
## Security Problems with Plain-Text Secrets
|
||||
|
||||
1. **代码仓库泄露**:Secrets 可能意外提交到 Git 等版本控制系统
|
||||
2. **日志暴露**:Secrets 在构建日志中可见
|
||||
3. **网络传输**:Secrets 在流水线各阶段间传输时可能被截获
|
||||
4. **审计缺失**:无法追踪谁在何时访问了哪些凭据
|
||||
5. **轮换困难**:硬编码的 Secrets 难以定期轮换
|
||||
|
||||
## Best Practices for CI/CD Secrets Management
|
||||
|
||||
### 1. Centralized Secrets Management
|
||||
|
||||
将所有 Secrets 集中存储在专用服务中:
|
||||
- AWS Secrets Manager
|
||||
- HashiCorp Vault
|
||||
- Azure Key Vault
|
||||
- GCP Secret Manager
|
||||
|
||||
### 2. Dynamic Credentials
|
||||
|
||||
使用动态临时凭证替代静态密钥:
|
||||
```yaml
|
||||
# ❌ 危险:静态密钥
|
||||
environment:
|
||||
DB_PASSWORD: "static_password_123"
|
||||
|
||||
# ✅ 推荐:动态获取
|
||||
environment:
|
||||
DB_PASSWORD:
|
||||
from_secret: aws:database-password
|
||||
```
|
||||
|
||||
### 3. Pipeline Integration Pattern
|
||||
|
||||
```
|
||||
┌─────────────┐ Request ┌─────────────────┐
|
||||
│ CI/CD │ ──────────────→│ Secrets │
|
||||
│ Pipeline │ │ Manager │
|
||||
└─────────────┘←────────────── └─────────────────┘
|
||||
Dynamic Secret
|
||||
```
|
||||
|
||||
### 4. GitOps with Secrets
|
||||
|
||||
使用 Sealed Secrets、Vault Agent 或 cloud-native solutions 实现 Git 安全存储:
|
||||
- **Sealed Secrets**:将 secrets 加密后存储在 Git 中
|
||||
- **External Secrets Operator**:Kubernetes 原生 secrets 管理
|
||||
- **AWS Secrets Manager + SSM**:AWS 原生解决方案
|
||||
|
||||
## AWS Implementation Example
|
||||
|
||||
```python
|
||||
# Lambda function for secrets retrieval in CI/CD
|
||||
import boto3
|
||||
import os
|
||||
|
||||
def get_db_credentials():
|
||||
client = boto3.client('secretsmanager')
|
||||
response = client.get_secret_value(
|
||||
SecretId='prod/database/credentials'
|
||||
)
|
||||
return json.loads(response['SecretString'])
|
||||
```
|
||||
|
||||
## Security Controls
|
||||
|
||||
1. **最小权限**:CI/CD 服务账号仅授予必要的 secrets 读取权限
|
||||
2. **网络隔离**:Secrets 服务在私有网络中,不暴露给公网
|
||||
3. **审计日志**:记录所有 secrets 访问操作
|
||||
4. **自动轮换**:Secrets 定期自动轮换,无需人工干预
|
||||
5. **临时凭证**:使用 STS 临时凭证替代长期密钥
|
||||
|
||||
## Related Concepts
|
||||
|
||||
- [[SecretsManagement]]:敏感信息管理的整体框架
|
||||
- [[SecretRotation]]:密钥轮换机制
|
||||
- [[GitOps]]:基础设施即代码的 Git 工作流
|
||||
- [[Infrastructure-as-Code]]:基础设施即代码
|
||||
|
||||
## Related Entities
|
||||
|
||||
- [[AWS]]:AWS Secrets Manager 提供方
|
||||
- [[HashiCorp]]:HashiCorp Vault 提供方
|
||||
- [[ControlTower]]:AWS 多账户治理框架
|
||||
|
||||
## Sources
|
||||
|
||||
- [[ctp-topic-37-secrets-certificates-management]] — CI/CD secrets cleanup implementation phase
|
||||
- [[ctp-topic-62-aws-secrets-manager]] — JDBC Wrapper + CI/CD integration details
|
||||
|
||||
## Aliases
|
||||
|
||||
- Pipeline Secrets
|
||||
- Build Secrets
|
||||
- Deployment Credentials
|
||||
- GitOps Secrets
|
||||
Reference in New Issue
Block a user