Skip to content

Buildkite plugin for secrets distribution using `summon`

License

Notifications You must be signed in to change notification settings

angaza/summon-buildkite-plugin

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Summon Buildkite Plugin

summon is a tool for fetching secrets from secure storage; this plugin makes it easy to use in Buildkite jobs.

Some reasons you might care:

  • Maybe you're still hardcoding secrets in your Buildkite pipeline settings? If so, that is bad and you should stop. This plugin helps you stop.
  • You can immediately leverage any of the existing summon secrets providers, so you have flexibility in what secure storage you use.
  • By installing different default providers on different machines, you can fetch secrets appropriately in different locations without changing configuration, e.g., pulling from a local keyring in development but from AWS SM in CI.

Examples

Here's a simple pipeline configuration:

steps:
  - plugins:
      - angaza/summon#v0.1.0:
          secrets-file: path/to/secrets.yml

The secrets fetched by summon are exported as environment variables to the rest of the step, including subsequent plugins. To use with the Docker Compose plugin, for example:

steps:
  - plugins:
      - angaza/summon#v0.1.0:
          secrets-file: path/to/secrets.yml
      - docker-compose#v2.6.0:
          config: path/to/docker-compose.yml
          run: service-name

Most summon options are supported:

steps:
  - plugins:
      - angaza/summon#v0.1.0:
          secrets-file: path/to/secrets.yml
          provider: summon-s3
          environment: production
          substitutions:
            - REGION=us-east-1

The plugin runs during the post-checkout hook, the earliest point at which the repo is available, since you will typically (but are not required to) reference a checked-in secrets.yml file.

Prerequisites

summon must already be installed in the environment where your agent runs, along with whatever provider(s) will be used.

Tests

You can run the tests for this plugin with:

docker-compose run --rm tests

License

MIT (see LICENSE)

About

Buildkite plugin for secrets distribution using `summon`

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages