In June we released Summon, an open-source tool to make it easier to use secrets in modern workflows. As part of the release, we proposed secrets.yml, a format that allows you to check references to secrets into source control. In this post I’ll talk about why this matters and show you how you can improve and secure your Docker workflow with Summon.
Secrets are dependencies
Here is Gene Kim talking about the results from the 2014 State of DevOps survey:
“One of the most startling findings this year studying over 9,200 survey responses was that version control was consistently one of the highest predictors of performance. And furthermore, that version controlling the production environment was an even higher predictor of performance than version controlling code!”
So, if you want a chance at being a high-performance IT organization, everything you need to recreate your production environment should be in source control. You write your server configurations as code with config management tools, write or generate code for database migrations, networks are now exporting RESTful APIs for programmatic control, etc. DevOps is pushing “everything as code” to great success.
Security is working hard to keep up and maintain visibility. We are working on open-source tools at Conjur to help. The first, Summon, aims to tackle the issue of secrets and source control. Your applications need passwords, API tokens, SSL certificates – but you can’t check them in. They end up in a fugue state, wandering around your infrastructure and developer laptops. The engineers that need credentials waste time hunting them down and auditors are not impressed. Unlike PII or PCI data, there is no standard for securing secrets today. Checking encrypted secrets into source control only means that you have new secrets – the keys you need for decryption.
Secrets are dependencies. We should track them in source control. Here’s a fun game – at your next dev meeting, suggest that you stop checking your application dependencies into source control. No more requirements.txt, Gemfile or composer.json. Talk through how removing these files would impact your release cycle. Our proposal is that you use Summon + secrets.yml to track your secrets in source control.
Using Docker with Summon
To use Docker effectively, it’s best to treat your containers as 12-factor applications that receive their configuration via the environment. That way, you can move containers between environments as immutable artifacts. Some of the configuration that changes between environments will be sensitive credentials – “when I’m running in production I need the production database password”.
In this hands-on example, we walk through running a deploy script running inside a Docker container. Summon provides credentials using your OS’s keychain as a secrets store.