Secret management#

Concourse is a pipeline-based continuous thing-doer.

In Galaxie-Forge, we delegate running continous integration and deployement to Concourse. In many cases, Concourse Workers have to get access to secrets, which we do not want to upload as part of the pipeline definitions. For that we rely on the Concourse credential management feature

Secrets are stored in a key-value secret backend in Vault (read more).

Authentication and permissions#

The concourse web node is configured with a Vault token that has the read capability on the /${CONCOURSE_VAULT_PATH_PREFIX}/* key-value path in Vault.

concourse web node environment#
1CONCOURSE_VAULT_URL=https://vault.example.com:8200
2CONCOURSE_VAULT_CLIENT_TOKEN=s.mSNnbhGAqxK2ZbMasOQ91rIA
3CONCOURSE_VAULT_PATH_PREFIX=/concourse

Important

This token can be periodic and renewable. If you choose to do so, its TTL should be greater than the max downtime window of the Concourse web node or you will have to generate a new one and change the concourse web node configuration before restarting it.

Network considerations#

There is no direct communication between workers and Vault

All concourse worker nodes only query the concourse web node to get their values. The web node filters the visibility depending on the job’s team and name.

Do not repeat yourself#

If there is the need to share secrets amongst all the jobs, mind about setting a shared path:

concourse web node environment#
1CONCOURSE_VAULT_SHARED_PATH=some-shared-path

…and set the shared secrets under Vault path in the key-value backend: /${CONCOURSE_VAULT_PATH_PREFIX}/${CONCOURSE_VAULT_SHARED_PATH}/*