When developing software, particularly with larger cloud-based distributed systems, there are often a few secrets that need to be disseminated in a secure manner amongst the developers and to the services that use them to unlock credentials.
In systems with many credentials, services, and instances, storage of these secrets is often delegated to a “vault” like AWS Key Management Service or HashiCorp Vault. But you still need a credential to open the vault to pull out a credential for the specific principal and scope you want.
In the past I’ve seen people deposit secrets into source code files and include them in their source repository. Although access to those repositories is often private and data is typically transmitted over SSH, it is not a good practice as those files are stored in plain text in the repository and their contents are scattered throughout the repository’s history (generally forever). …
Around July last year, with the introduction of some new components in the systems we build at mPort, we also introduced some new CI/CD tooling. I’m experienced with the tools built by previous companies I’ve worked for (particularly ThoughtWorks and Atlassian), so GoCD and Bamboo were good candidates. Jenkins was not (at the time). This article does not dwell on the specific pros and cons of those products in the specific mPort context. Suffice it to say, they are all fine products and the evaluation criteria for mPort are not the same for other teams.
For the past year or so, the team at mPort have been focussed on constantly improving the rate of delivering value with high confidence. This has meant quite a few changes and experimentation with how we work. The first step was taken with a GoCD server and, once the security-oriented configuration for the infrastructure-as-code was worked out (with some gaffer tape and string), it was working well enough. …
Here at mPort, we have a multi-platform technology team (Windows, macOS, Linux). This brings interesting challenges when collaborating on the same components. Docker is an obvious choice to mitigate those challenges, but it introduces a few more corkers along the way.
This post is about the journey of us trying to fix a problem with file permissions on the CI server leading to having to solve problems with line-endings in text files.
Here’s a quick snapshot of the relevant tools involved: