This document will explain how you can work with secrets in Semaphore 2.0. Semaphore 2.0 stores confidential information in secrets using environment variables. Expect to see support for configuration files In the near future.
You can think of a secrets as a bucket in which you can place your
confidential information in the form of environment variables and
configuration files. Although you cannot have an environment variable
name to appear more than once in the same secrets, you can have
multiple secrets lists that contain the same environment variable
name.
Last secrets are connected to organizations, which means that if you
create a secrets under an orginization you will be able to use it in
all the Semaphore 2.0 projects of that organization.
In this section you will learn how you can add your confidential
information in a Semaphore 2.0 secrets. Semaphore 2.0 supports two
ways for including confidential information: environment variables and
configuration files.
It is really important to understand that you are responsible for putting the desired data using the desired format into a configuration file.
So, the first thing to do is connecting to an organization as explained in the Changing Organizations{: target="_blank"} documentation page.
In this section you will learn how to create a secret for storing confidential information in the form of environment variables and configuration files.
The following YAML file create a new secrets item that is called
more-mihalis-secrets with two environment variables, named
SECRET_ONE and SECRET_TWO:
$ cat createSecret.yml
apiVersion: v1alpha
kind: Secret
metadata:
name: more-mihalis-secrets
data:
env_vars:
- name: SECRET_ONE
value: "Ca c'est un petite secret"
- name: SECRET_TWO
value: "Secret deux"
The you will have to execute the sem command line tool as follows:
$ sem create -f createSecret.yml
apiVersion: v1alpha
data:
env_vars:
- name: SECRET_ONE
value: Ca c'est un petite secret
- name: SECRET_TWO
value: Secret deux
kind: Secret
metadata:
id: 3e0938ac-b752-46ae-982f-c63ce817d847
name: more-mihalis-secrets
Now, you can verify that a new secret item has been created as
follows:
$ sem get secrets
NAME
mihalis-secrets
more-mihalis-secrets
You can list of the values of an existing secrets as follows:
$ sem describe secrets more-mihalis-secrets
apiVersion: v1alpha
data:
env_vars:
- name: SECRET_ONE
value: Ca c'est un petite secret
- name: SECRET_TWO
value: Secret deux
kind: Secret
metadata:
id: e6092e1d-a3c3-43b9-a209-5370f3835a9e
name: more-mihalis-secrets
The next section will show how to list all the existing secrets of an
organization.
The following script will help you list all the contents of all
the secrets of an organization:
$ sem get secrets | grep -v NAME | xargs -n1 sem describe secrets
Its output will look as follows:
apiVersion: v1alpha
data:
env_vars:
- name: SECRET_ONE
value: Ca c'est un petite secret
- name: SECRET_TWO
value: Secret deux
kind: Secret
metadata:
id: a7c4d405-3344-4b88-9303-6827ad38f701
name: mySecrets
apiVersion: v1alpha
data:
env_vars:
- name: SECRET_ONE
value: Ca c'est un petite secret
- name: SECRET_TWO
value: Secret deux
kind: Secret
metadata:
id: e6092e1d-a3c3-43b9-a209-5370f3835a9e
name: more-mihalis-secrets
apiVersion: v1alpha
data:
env_vars:
- name: SECRET_ONE
value: Ca c'est un petite secret
kind: Secret
metadata:
id: b7bc03c0-2c0c-4317-b8fa-fa57d671f417
name: mihalis-secrets
As you already saw, in order to list all the available secrets values,
you should execute the next command:
$ sem get secrets
NAME
mihalis-secrets
more-mihalis-secrets
even-more-mihalis-secrets
You can delete an existing secrets by executing the following command:
$ sem delete secret mihalis-secrets
You can now verify that the desired secrets has been deleted as
follows:
$ sem get secrets
NAME
more-mihalis-secrets
even-more-mihalis-secrets
If the secrets you want to delete does not exist, you will get the
following kind of error message:
$ sem delete secret mihalis-secrets
{"message":"Bad Request"}
In the previous section, you learned how you can add confidential
information into a secrets and add that secrets to your Semaphore
2.0 organization. In this section, you will learn how to use your
confidential data, either as environment variables or as files.
Notice that you should select the secrets you want using the name
property.
The Semaphore 2.0 pipeline that will be used for the example project is defined as follows:
$ cat .semaphore/semaphore.yml
version: v1.0
name: Basic YAML configuration file example.
agent:
machine:
type: e1-standard-2
os_image: ubuntu1804
blocks:
- task:
jobs:
- name: My Semaphore 2.0 job
commands:
- checkout
- ls -l .semaphore
- echo $SEMAPHORE_PIPELINE_ID
- echo "Hello World!"
- echo $SECRET_ONE
- echo $SECRET_TWO
secrets:
- name: mySecrets
- name: more-mihalis-secrets
Please notice that when the names of the environment variables of two
more more secrets are the same, then the environment variable will
have the value that can be found in the secrets property that was
imported last.
Now, it is time to learn what will happen when you try to use a
secrets in your .semaphore/semaphore.yml file that does not exist.
The .semaphore/semaphore.yml file that will be used is the following:
version: v1.0
name: Using secrets in Semaphore 2.0
agent:
machine:
type: e1-standard-2
os_image: ubuntu1804
blocks:
- task:
jobs:
- name: My Semaphore 2.0 job
commands:
- echo "Hello World!"
- echo $SECRET_ONE
- echo $SEMAPHORE_PIPELINE_ID
secrets:
- name: does-not-exist
In that case the pipeline will fail to run.
Errors happen all the time. So if there is something wrong and you cannot get any data from the servers, you are going to see an error message similar to the following:
$ sem get secrets
error: http status 502 received from upstream
Another kind of error you can get when dealing with secrets is the
following:
$ sem -v get secrets
2018/07/05 00:22:09 https://semaphore.semaphoreci.com/api/v1alpha/secrets
2018/07/05 00:22:13 response Status: 504 Gateway Timeout
2018/07/05 00:22:13 response Headers: map[Alt-Svc:[clear] Content-Length:[24] Content-Type:[text/plain] Date:[Wed, 04 Jul 2018 21:22:12 GMT] Server:[envoy] Via:[1.1 google]]
2018/07/05 00:22:13 upstream request timeout
error: http status 504 received from upstream
Generally speaking using the -v switch when things go wrong might help
you or Rendered Text reveal the root of problem and correct it.