Announcing Native Support for Kubernetes Secrets in Codefresh Pipelines

Secret management has been one of the most challenging areas when it comes to application deployments. Especially in the era of containers and dynamic services that come and go all the time, secret storage and rotation is more important than ever.

Today we release our brand-new secret management integration that allows you to use Kubernetes secrets and configmaps straight into Codefresh pipelines in the easiest way possible.

First, you need to choose which secret you want to make available to Codefresh, via our secret storage integration.

With the new integration, you can retrieve secrets from your existing clusters that are already connected to Codefresh via the standard Kubernetes integration methods.

To use a secret in a pipeline just mention it by name using the following syntax:

That’s it!

You can now pass the secret to the pipeline and use it for performing integration tests, accessing a database, calling an external service, etc.

Up until now, if you wanted to use secrets in Codefresh pipelines, as a customer you had to adopt one of the following approaches:

Each approach has advantages and disadvantages. Using a dedicated secret solution is usually a strict requirement for security-sensitive organizations, but maintaining the secret solution requires a lot of effort and not all companies want to invest in such heavyweight solutions.

Using the shared configuration capabilities of Codefresh is an easy way to handle secrets, but places the storage backend on Codefresh itself, and not all organizations want to have secrets in the same place as their CI/CD solution.

Realizing that we needed an alternative solution between those two extremes, we understood that it is best to offer our customers the ability to use the native secret support of a Kubernetes cluster.

This approach has three major advantages:

It is also important to understand that because Codefresh is accessing a Kubernetes cluster via standard service accounts, it is very easy to isolate secrets between your CI/CD platform and other actors. You don’t have to trust Codefresh with secrets anymore if you prefer to restrict cluster access with specific roles and namespaces.

As an alternative way to store secrets, we also offer the capability to use your own clusters (runtime environments) for secret storage in a much more friendly manner.

In this case, Codefresh does not even have access to the Kubernetes cluster itself, make this approach even more secure (the Codefresh runner only has outgoing network access to the Codefresh UI)

This means that you are free to store secrets:

We believe that this amount of flexibility can help organizations to decide on their own how they want to manage their secrets instead of imposing them a specific way of storage.

Secret Storage for Kubernetes clusters is rolled out to all Codefresh Enterprise accounts. If it is not enabled in your account yet, please contact us.

Related posts:

In my company project we use NodeJS as a backend of one of the services. I noticed that there is a big delay between when the project is built in CI and when the new version of the service actually…

These rolls are one of my favorite things to eat when I’m in a rush, starving, and don’t want to have a second fatty coffee of the day. Because I always have a bottle of sugar-free barbecue sauce in…

Com o intuito de qualificar e formar profissionais capacitados para o ingresso no mercado de trabalho, o Centro de Integração e Apoio ao Trabalhador (CIAT) de Camaçari está ofertando 110 vagas…