Skip to content
Buildkite plugin for secrets distribution using `summon`
Branch: master
Clone or download
Latest commit 212589e Feb 17, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
buildkite/inspect Add a ShellCheck step to pipeline. Feb 18, 2019
hooks Fix bug caught by test. Feb 18, 2019
tests
LICENSE
README.md Add the obvious Buildkite link to README. Feb 18, 2019
docker-compose.yml Add the Buildkite Plugin Linter to pipeline. Feb 18, 2019
plugin.yml Support `yaml` and `substitutions` parameters. Feb 17, 2019

README.md

Summon Buildkite Plugin

summon is a tool for fetching secrets from secure storage; this plugin makes it easy to use in Buildkite jobs.

Some reasons you might care:

  • Maybe you're still hardcoding secrets in your Buildkite pipeline settings? If so, that is bad and you should stop. This plugin helps you stop.
  • You can immediately leverage any of the existing summon secrets providers, so you have flexibility in what secure storage you use.
  • By installing different default providers on different machines, you can fetch secrets appropriately in different locations without changing configuration, e.g., pulling from a local keyring in development but from AWS SM in CI.

Examples

Here's a simple pipeline configuration:

steps:
  - plugins:
      - angaza/summon#v0.1.0:
          secrets-file: path/to/secrets.yml

The secrets fetched by summon are exported as environment variables to the rest of the step, including subsequent plugins. To use with the Docker Compose plugin, for example:

steps:
  - plugins:
      - angaza/summon#v0.1.0:
          secrets-file: path/to/secrets.yml
      - docker-compose#v2.6.0:
          config: path/to/docker-compose.yml
          run: service-name

Most summon options are supported:

steps:
  - plugins:
      - angaza/summon#v0.1.0:
          secrets-file: path/to/secrets.yml
          provider: summon-s3
          environment: production
          substitutions:
            - REGION=us-east-1

The plugin runs during the post-checkout hook, the earliest point at which the repo is available, since you will typically (but are not required to) reference a checked-in secrets.yml file.

Prerequisites

summon must already be installed in the environment where your agent runs, along with whatever provider(s) will be used.

Tests

You can run the tests for this plugin with:

docker-compose run --rm tests

License

MIT (see LICENSE)

You can’t perform that action at this time.