Secrets

Overview

Secrets are objects in IceCI responsible for storing sensitive data. They are stored as secrets in Kubernetes cluster. Currently IceCI distinguishes 4 types of secrets:

Attention

git ssh key and git token secret types are used for cloning the repository and are never directly referred to in the pipelines. They can be only used while creating repositories in the UI.

Note

Currently secrets can only be configured through the UI in the settings section.

Generic secret

Generic secrets store sensitive data that can be used in pipelines. Those values can be passed as environment variables to containers. Generic secrets can be used in dockerRun steps, services and failure handlers. They can be also defined in the global scope of the pipeline.

Example

Here’s an example of passing a value from generic-secret as an environment variable ENV_FROM_SECRET.

steps:
- name: step1
  dockerRun:
    image: busybox
    script: |
      printenv ENV_FROM_SECRET
    environment:
    - name: ENV_FROM_SECRET
      fromSecret: generic-secret

Here’s an example of passing a value from generic-secret to both service and dockerRun step in the pipeline via the global section.

globals:
  environment:
  - name: ENV_FROM_SECRET
    fromSecret: generic-secret

services:
- name: envcheck
  image: busybox
  script: |
    printenv ENV_FROM_SECRET
    sleep 99999

steps:
- name: step1
  dockerRun:
    image: busybox
    script: |
      printenv ENV_FROM_SECRET

Further reading

For more information about passing secrets as environment variables see environment variable reference.

Docker secret

Overview

A Docker secret stores credentials used to communicate with docker registries. It can be used for both downloading images from private registries as well as pushing images after building them in the dockerBuild step. In both cases the dockerSecret field is used.

A Docker secret can also be specified in the globals section of the pipeline - this way it’ll be passed to every object that has a dockerSecret field. If a Docker secret is specified at the object level, it will override the global docker secret.

Examples

Here’s an example of using a Docker image from a private registry to run both the service and step in the pipeline.

services:
- name: db
  image: mrupgrade/private:db
  dockerSecret: dockerhub

steps:
- name: step1
  dockerRun:
    image: mrupgrade/private:debian10
    dockerSecret: dockerhub
    script: "echo Hello world"

Note

While running this example in your own pipelines, remember to change the image value into a repository and image that you have read access to. You also need to create a correct Docker secret with name dockerhub.

Here’s an example of setting up dockerSecret at the global level so it doesn’t have to be repeated in every step, service and failure handler.

globals:
  dockerSecret: dockerhub

services:
- name: db
  image: mrupgrade/private:db

steps:
- name: step1
  dockerRun:
    image: mrupgrade/private:debian10
    script: "echo Hello world"

Note

While running this example in your own pipelines, remember to change the image value into a repository and image that you have read access to. You also need to create a correct Docker secret with name dockerhub.

Further reading

For more information on how to use Docker secrets check the reference for these pipeline objects: dockerRun, dockerBuild, service, failureHandler and globals.

Git SSH key

A Git SSH key stores a SSH key used to communicate with a Git server. It’s used for cloning the repository and monitoring any changes that may occur.

The secret is specified while adding a repository to IceCI. After entering a SSH clone URL in the Repository URL field - for example git@github.com:MrUPGrade/example-python-flask-api.git - the Secret names dropdown will show you all the available Git SSH secrets.

../../_images/git_ssh_secret.png

Note

Git SSH keys are used whenever the access to repository is via ssh regardless if it’s public or private repository.

Git token

A Git token stores a token used to communicate with the Git server. It’s used for cloning the repository and monitoring any changes that may occur.

The secret is specified while adding a repository to IceCI. After entering a HTTP clone URL in the Repository URL field - for example https://github.com/MrUPGrade/example-python-flask-api.git - the Secret names will dropdown list you all the available Git token secrets.

../../_images/git_token_secret.png

Note

A Git token is used only when accessing a private repository via https. For public https repositories the token can be skipped and no secrets are needed.