Commit 28250019 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'master' into 'master' 

More explicit doc about secrets management

Closes #26

See merge request to-be-continuous/cloud-foundry!55
parents 4b71335d 50877026

README.md

+4 −6
Original line number Diff line number Diff line
@@ -76,10 +76,9 @@ Here are some advices about your **secrets** (variables marked with a :lock:): 
      displayed in your job logs,

    * [**protected**](https://docs.gitlab.com/ee/ci/variables/#protected-cicd-variables) if you want to secure some secrets 

      you don't want everyone in the project to have access to (for instance production secrets).

2. In case a secret contains [characters that prevent it from being masked](https://docs.gitlab.com/ee/ci/variables/#mask-a-cicd-variable), 

  simply define its value as the [Base64](https://en.wikipedia.org/wiki/Base64) encoded value prefixed with `@b64@`: 

  it will then be possible to mask it and the template will automatically decode it prior to using it.

3. Don't forget to escape special characters (ex: `$` -> `$$`).

    * :warning: Secrets that can't be *masked* by GitLab (because of some special characters) **will be leaked** in the output of the `cf push` command.

    * Don't forget to escape special characters (ex: `$` -> `$$`).

2. Manage them as a [User-provided service instance](https://docs.cloudfoundry.org/devguide/services/user-provided.html) with a `cf-pre-push.sh` hook and [bind the instance](https://docs.cloudfoundry.org/devguide/services/application-binding.html) to your app in the `manifest.yml`. Then, secrets will be available to your application in the [VCAP_SERVICES](https://docs.cloudfoundry.org/devguide/deploy-apps/environment-variable.html#VCAP-SERVICES) env variable.



### Environments configuration
@@ -276,9 +275,8 @@ Deployment jobs support Cloud Foundry [variables replacement](https://docs.cloud 
* or merged with file `cf-vars.yml` if present in your project **and no `cf-vars-$env.yml` file was found**.



:warning: your `cf-vars-$env.yml` or `cf-vars.yml` files **may** contain variable patterns such as `${MY_SECRET}`.

If so, those patterns will be evaluated (replaced) with actual environment values.

If so, those patterns will be evaluated (replaced) with actual environment values. Beware that those values can be leaked by the `cf push` output.

Multiline variables must be surrounded by **double quotes** (`"`).

This is a safe way of managing your application secrets.



### Routes management