Skip to main content

External Secrets

Example YAML configuration for a project requiring a secrets to be used within a step

Scenario

User is looking to create a pipeline that can integrate with a private Vault to inject secrets that can not be used with pushing a Docker image to a registry.

tip

It is assumed you have created secret vault_token in the web interface or CLI.

The examples show a pipeline using repository secrets. Vela contains three secret types: repository, organization, and shared. For examples on organization and shared, please see the secret concepts documentation.

Steps

The following pipeline concepts are being used in the pipeline below:

The following Vela plugins are being used in the pipeline below:

tip

Pipeline must be stored in base of repository as .vela.yml or .vela.yaml

It is recommended to pin image: versions for production pipelines

version: "1"

steps:
  - name: publish hello world
    image: target/vela-docker:latest
    pull: always
    parameters:
      registry: index.docker.io
      repo: index.docker.io/vela/hello-world


secrets:
  # Note here how this pipeline uses an internal secret vault_token
  # in the origin secret below to get additional secrets from an
  # external service.
  - name: vault_token
    key: go-vela/vault_token
    engine: native
    type: org

  - origin:
      name: private vault
      image: target/secret-vault:latest
      pull: always
      secrets: [ vault_token ]
      parameters:
        addr: vault.example.com
        auth_method: token
        username: octocat
        items:
          - source: secret/docker
            path: docker

Stages

The following pipeline concepts are being used in the pipeline below:

The following Vela plugins are being used in the pipeline below:

tip

Pipeline must be stored in base of repository as .vela.yml or .vela.yaml

It is recommended to pin image: versions for production pipelines

version: "1"

worker:
  runtime: docker

stages:
  docker:
    steps:
      - name: publish hello world
        image: target/vela-docker:latest
        pull: always
        secrets: [ docker_username, docker_password ]
        parameters:
          registry: index.docker.io
          repo: index.docker.io/vela/hello-world

secrets:
  - name: vault_token
    key: go-vela/vault_token
    engine: native
    type: org

  - origin:
      name: private vault
      image: target/secret-vault:latest
      pull: always
      secrets: [ vault_token ]
      parameters:
        addr: vault.example.com
        auth_method: token
        username: octocat
        items:
          - source: secret/docker
            path: docker