Projects & Global Secrets #725
rohan-chaturvedi
started this conversation in
Ideas
Replies: 1 comment
-
|
This is great, I love the idea. You must also address a pressing problem - hierarchical dynamic secret syncing. Should a shared or cross-referenced secret in the org-level or project-level rotate, ensure that it cascades wherever said secrets are shipped (CI, K8s...) fast. This is a problem many of us are keen to see fixed. The current situation is such that we must manually follow up across dependent apps and sync to ensure secrets are cascaded effectively. Thank you for involving the community on this one @rohan-chaturvedi ! |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Projects
A new layer of abstraction in Phase that allows groupings of related apps.
Projects are a way to group related apps that are part of a single application, or stack. Projects will make it easier to manage access, integrations and settings for a set of apps, and allow for shared secrets and configuration to be defined across the project.
Motivation
Currently, Apps in an org exist on a flat tier, but often certain apps are related and are part of a larger single application. For example consider the Phase Apps
dashboard - backendanddashboard - frontendwhere thebackendandfrontendhave their own respective repos, secrets, team members, but are part of thedashboardapplication which has a common context. The current flat organisation of Apps makes this cumbersome to map correctly, and mixes it in with all other Apps in the org.Projects will allow for related apps to be grouped. For example:
Implementation
The basic implementation of Projects would include:
Project CRUD
Project Access
Project Integrations: This would allow syncs, dynamic secrets and third-party credentials to be contained within a project
Project Roles: Project roles would allow for users to have a different role than their org role within the domain of a project. This would allow for a
Developerat the org level to be aProject-Admin, for example.Project navigation
/org/projects/org/projects/<project_id>Global Secrets
Global Secrets are secrets defined globally across a given scope of apps. They can take the form of:
Global Secrets are automatically inherited by Apps within their scope. This allows for secrets or configurations that are shared by a set of Apps to be defined once and implicitly included where required.
Motivation
A common pattern when managing secrets in multi-application setups or monorepos is for a common set of configurations to be defined once, and application-specific secrets to be defined at a lower hierarchy. We've also seen requests for the ability to define "Org-level" secrets, that can be overridden by specific Apps if required. Currently this can be achieved in Phase by creating a 'common' or 'default' app, and using Secret Referencing to explicitly include their secrets in Apps and Envs where required.
However, this approach does not scale well as the number of secrets and apps grow. This approach also doesn't correctly represent the hierarchy which would allow for advanced use cases, such as application-level overrides of global secrets.
Implementation
Global Secrets will be implemented under the hood via a single designated 'Global App' within an Org / Project.
Global Apps will generally function identically to normal Apps, in that they have Environments with Secrets, but will have the following key differences:
global [dev, stag, prod]api [dev, stag, prod]api [dev]will include all secrets defined inglobal [dev]Configuration
Beta Was this translation helpful? Give feedback.
All reactions