Secrets Management
In order to securely expose secrets to a Runway workload, you must place the secrets into the GitLab Vault installation in a specific format. The Runway deployment tooling/pipeline will then automatically make those secrets available as environment variables to the containers in your environement.
For configuration best practices, refer to guide.
Constraints
Secrets cannot use the same name as environment variables, otherwise an overlap error will be raised.
Setup
Right now, prerequisite for secrets management is access to Vault. Follow these steps:
When complete, service owners will only be granted access to secrets for their services.
Recommendation: Step 1 can take ~2 weeks for IT due to change management, so start the process as soon as you anticipate the need for secrets management.
We are tracking improvements to this in an Okta issue and a general issue - Please leave any feedback you have on this setup there.
Adding a secret to a Runway container in an Environment
-
Log into Vault. If you do not have access to Vault, follow the instructions here. The path you wish to have access to in vault is
runway/env/$environment/service/$runway_service_id
. The$runway_service_id
is determined in step 1. -
Once logged into Vault, navigate to
runway/env/$environment/service/$runway_service_id
where$environment
is the environment you wish to add the secret to (eitherstaging
orproduction
) and$runway_service_id
is the value you have determined above. A service without any secrets will have a single empty secret called.placeholder
. -
Click on the
Create secret
button. AtPath for this secret
append the name you wish to use for the secret. Note that the name is also what will be used as the environment variable key inside the container. The name needs to be in upper case and have letters/numbers/underscores only. UnderSecret data
put the wordvalue
on the left as the key, and then the contents of the secret you wish to add in the field next to it. ClickSave
. -
Run a normal Runway deployment and your secret will now be exposed to the container.
Rotating a secret
-
Log into Vault and go to the secret path for the environment/runway service you are interested in. Then click on the existing secret you wish to change.
-
Click on
Create new version
in the top right. You will see the contents of the secret (value
and the masked secret value). Change the masked contents to the new data you wish to have for the secret, then clickSave
-
Run a normal Runway deployment and the new contents of your secret will now be exposed to the container
Removing a secret
-
Log into Vault and go to the secret path for the environment/runway service you are interested in.
-
Click on the
...
on the right next to the secret, and choosePermanently delete
-
Run a normal Runway deployment and the secret will no longer be exposed to the container