This document describes how to set up Spinnaker secrets in an encrypted S3 bucket. In this example, we’ll be using a
mybucket bucket in the
us-west-2 region to store GitHub credentials and a kubeconfig file. We’ll be referencing the bucket by its URL
Since we’re storing sensitive information, we’ll protect the bucket by restricting access and enabling encryption.
The important thing to remember is to run Halyard’s daemon and Spinnaker services that support decryption with IAM roles that allow them to read that content.
Let’s store our GitHub credentials in
github: password: <PASSWORD> token: <TOKEN>
Note: We could have chosen to store the password under different keys than
github.token. We’d just need to change how to reference the secret further down.
Storing sensitive files
Some of Spinnaker configuration also uses information stored as files. Let’s upload the
kubeconfig file of our Kubernetes account to
apiVersion: v1 clusters: - cluster: certificate-authority-data: <ca authority> server: https://<clusterurl> ...
Now that secrets are safely stored in our bucket, we’ll reference them from our config files with the following format:
encrypted:s3!r:<region>!b:<bucket>!f:<path to file>!k:<optional key>
Note: The S3 specific parameters, e.g.
b:<bucket>, etc, can be in any order
For example, to reference
github.password from the file above, we’ll use:
And to reference the content of our kubeconfig file: