111 lines
3.4 KiB
Markdown
111 lines
3.4 KiB
Markdown
---
|
||
title: "CI/CD-Secrets"
|
||
type: concept
|
||
tags:
|
||
- CI/CD
|
||
- Security
|
||
- DevOps
|
||
- Cloud
|
||
---
|
||
|
||
## Definition
|
||
|
||
CI/CD Secrets 是指在持续集成/持续部署(CI/CD)流水线中管理敏感信息(密码、API Key、证书、私钥等)的最佳实践。传统 CI/CD 流程中这些 secrets 通常以明文形式硬编码在配置文件、环境变量或脚本中,造成严重的安全风险。
|
||
|
||
## Security Problems with Plain-Text Secrets
|
||
|
||
1. **代码仓库泄露**:Secrets 可能意外提交到 Git 等版本控制系统
|
||
2. **日志暴露**:Secrets 在构建日志中可见
|
||
3. **网络传输**:Secrets 在流水线各阶段间传输时可能被截获
|
||
4. **审计缺失**:无法追踪谁在何时访问了哪些凭据
|
||
5. **轮换困难**:硬编码的 Secrets 难以定期轮换
|
||
|
||
## Best Practices for CI/CD Secrets Management
|
||
|
||
### 1. Centralized Secrets Management
|
||
|
||
将所有 Secrets 集中存储在专用服务中:
|
||
- AWS Secrets Manager
|
||
- HashiCorp Vault
|
||
- Azure Key Vault
|
||
- GCP Secret Manager
|
||
|
||
### 2. Dynamic Credentials
|
||
|
||
使用动态临时凭证替代静态密钥:
|
||
```yaml
|
||
# ❌ 危险:静态密钥
|
||
environment:
|
||
DB_PASSWORD: "static_password_123"
|
||
|
||
# ✅ 推荐:动态获取
|
||
environment:
|
||
DB_PASSWORD:
|
||
from_secret: aws:database-password
|
||
```
|
||
|
||
### 3. Pipeline Integration Pattern
|
||
|
||
```
|
||
┌─────────────┐ Request ┌─────────────────┐
|
||
│ CI/CD │ ──────────────→│ Secrets │
|
||
│ Pipeline │ │ Manager │
|
||
└─────────────┘←────────────── └─────────────────┘
|
||
Dynamic Secret
|
||
```
|
||
|
||
### 4. GitOps with Secrets
|
||
|
||
使用 Sealed Secrets、Vault Agent 或 cloud-native solutions 实现 Git 安全存储:
|
||
- **Sealed Secrets**:将 secrets 加密后存储在 Git 中
|
||
- **External Secrets Operator**:Kubernetes 原生 secrets 管理
|
||
- **AWS Secrets Manager + SSM**:AWS 原生解决方案
|
||
|
||
## AWS Implementation Example
|
||
|
||
```python
|
||
# Lambda function for secrets retrieval in CI/CD
|
||
import boto3
|
||
import os
|
||
|
||
def get_db_credentials():
|
||
client = boto3.client('secretsmanager')
|
||
response = client.get_secret_value(
|
||
SecretId='prod/database/credentials'
|
||
)
|
||
return json.loads(response['SecretString'])
|
||
```
|
||
|
||
## Security Controls
|
||
|
||
1. **最小权限**:CI/CD 服务账号仅授予必要的 secrets 读取权限
|
||
2. **网络隔离**:Secrets 服务在私有网络中,不暴露给公网
|
||
3. **审计日志**:记录所有 secrets 访问操作
|
||
4. **自动轮换**:Secrets 定期自动轮换,无需人工干预
|
||
5. **临时凭证**:使用 STS 临时凭证替代长期密钥
|
||
|
||
## Related Concepts
|
||
|
||
- [[SecretsManagement]]:敏感信息管理的整体框架
|
||
- [[SecretRotation]]:密钥轮换机制
|
||
- [[GitOps]]:基础设施即代码的 Git 工作流
|
||
- [[Infrastructure-as-Code]]:基础设施即代码
|
||
|
||
## Related Entities
|
||
|
||
- [[AWS]]:AWS Secrets Manager 提供方
|
||
- [[HashiCorp]]:HashiCorp Vault 提供方
|
||
- [[ControlTower]]:AWS 多账户治理框架
|
||
|
||
## Sources
|
||
|
||
- [[ctp-topic-37-secrets-certificates-management]] — CI/CD secrets cleanup implementation phase
|
||
- [[ctp-topic-62-aws-secrets-manager]] — JDBC Wrapper + CI/CD integration details
|
||
|
||
## Aliases
|
||
|
||
- Pipeline Secrets
|
||
- Build Secrets
|
||
- Deployment Credentials
|
||
- GitOps Secrets
|