All Day DevOps 2017 materials

View on GitHub

This setup was originally done for

All Day DevOps 2017

by @3jmaster

Remove Developers’ Shameful Secrets



Follow Along All-In-One-Local-Machine CICD Pipeline

Notes / Pre-Requisites for Running Demo Scripts:

  1. Scripts were written on MacOS machine, please modify as needed for your environment

  2. Ability to run vault, docker, npm on your local machine

  3. Basic general knowledge of Docker, HashiCorp Vault, GitLab, GitHub, MongoDB, CICD, bash, etc…

Steps for Local Machine:

  1. Run bash scripts in numeric order in ./code/vault folder, more instructions here

  2. Manage Secrets from Vault-UI (http://localhost:80) on your browser or from your CLI (vault write …)

  3. Run bash script in ./code/my-demo-app/ to build image locally

  4. Run bash script in ./code/my-demo-app/ to run image locally

  5. View the web app on your browser: http://localhost:3000

  6. Cheers!

  ~  ~
  ( o )o)
  ( o )o )o)
  (o( ~~~~~~~~o
  ( )' ~~~~~~~'
  ( )|)       |-.
  o|     _  |-. \
  o| |_||_) |  \ \
  | | ||_) |   | |
  o|        |  / /
  |        |." "
  |        |- '
  .========.   mb

Steps for Live Environment:

  1. My Demo App @

    • Mark your presence! Submit your name and a quote! :)
  2. Vault @

    • Try it using low-risk, read-only credentials user:fabian and password:fabian15awesome

    • Permissions to see secret/example/test and secret/example/mongodb-read

  3. Merging any changes into master branch will get the changes to be live

Likely Benefits of using a Secret Management Service

  1. Secrets are managed centrally

  2. Secrets can be rotated easily

  3. Compromised secrets can be revoked, and rotated easily

  4. Lowers the risk of exposing valid secrets because secrets can be revoked and rotated immediately when:
  5. developers lose a machine that contains secrets
  6. when secrets are accidentally checked into source code repository

  7. Secret management server issues secrets only to authorized developers through user policies and management

  8. Authorized developers can retrieve the latest secrets through API calls and not ask fellow developers

  9. Audit log of the retrieval of secrets

  10. One-time unwrap feature can ensure tokens are read once (HashiCorp Vault)