kubernetes - 在公共(public)存储库中保密 gitlab CI/CD 变量

Question

我在 Gitlab 上有一个私有(private)项目，其 CI/CD 设置为从 Google Container Registry 推送/拉取 docker 镜像，并将我的软件部署到 GCP 中的 Kubernetes Engine。

有没有办法让我的项目公开，而不必担心用于连接 GCP 的 secret 被泄露？特别是，我担心当我的存储库是公开的时，任何人都可以添加像 echo $GCP_REPOSITORY_SECRET 这样的行。某处.gitlab-ci.yml文件，推送他们的分支并查看 CI 的输出以“发现”我的 secret 。 Gitlab 有防止这种情况的机制吗？更根本的是，是否有最佳实践来为公共(public)存储库保密部署 secret ？

Answer 1

More fundamentally, are there best practices to keep deployment secrets secret for public repositories?

是的，其中没有任何敏感数据。曾经。
在 GCP 级别， secret management options are listed here .
将 GitLab-CI 连接到 GCP 时，您可以看到 security implication here , 它使用 kubectl get secret <secret name> -o jsonpath="{['data']['ca\.crt']}" | base64 -D , 使用正确的帐户和 RBAC .

The whole cluster security is based on a model where developers are trusted, so only trusted users should be allowed to control your clusters.

请注意 GitLab 11.7 (2019 年 1 月)允许:

Configure Kubernetes app secrets as variables for Auto DevOps pipelines

Operators and administrators require that the configuration of secrets takes place outside the application’s repository to reduce risk and exposure of sensitive data.
To address this need, GitLab now offers the ability to configure secrets as environment variables that are made available to the Auto DevOps application running in your Kubernetes cluster.

Simply prepend your variable with K8S_SECRET_ and the relevant Auto DevOps CI pipeline will take your application secret variable to populate a Kubernetes secret.