This documentation and the Cisco Observability Platform functionalities it describes are subject to change. Data saved on the platform may disappear and APIs may change without notice.
Encrypt Secrets
This page explains how to encrypt secrets. You can use these encrypted secrets in your solution or pass them as environment variables to your zodiac:function.
Prerequisites
Configure SOPS
Create the file
.sops.yamlwith the following content, which tellssopsthat its input will be a JSON file, and that within the JSON file, it should encrypt only the contents of thesecretskey:creation_rules: - filename_regex: \.json$ encrypted_suffix: secretsGet the public key for your solution by running the
fsoc ks getcommand:fsoc knowledge get --type solutionsecret:publicKey --layer-type=SOLUTION --layer-id solutionsecret
Note: The public key is the same for all solutions. This key has a fingerprint and a creation timestamp.
- Copy the public key from the output of the
fsoc ks getcommand. Make sure to copy the entire block, which looks like this:-----BEGIN PGP PUBLIC KEY BLOCK----- bunch of characters -----END PGP PUBLIC KEY BLOCK----- - Paste the public key into a new file named
MY-PUBLICKEY-NAME.asc. - Copy the fingerprint of the public key to your clipboard.
- Import your public key into gpg:
gpg --import MY-PUBLICKEY-NAME.asc - To confirm that your key's fingerprint is in your gpg database of available keys, run
gpg --list-keys.
Create a JSON File with Unencrypted Secrets
Create a JSON file with the data you want to encrypt. The data to encrypt must be in a key named secrets (i.e. must match the key you specified in your sops config file (.sops.yaml).
Syntax:
{
"name": "<string>",
"secrets": {
"<secret-name>": "<string>",
"<secret-name>": "<string>"
}
}
Example:
A file named MY-SECRETS.json contains:
{
"name": "mySecrestsObject",
"secrets": {
"secret1": "mysupersecretpassword1",
"secret2": "mysupersecretpassword2"
}
}
Encrypt the Contents of a JSON File
Run the sops encrypt command, giving it your key's fingerprint and the JSON file containing the data you want to encrypt. This data must be in a key that matches the key you specified in your sops config file (.sops.yaml):
sops --encrypt --pgp FINGERPRINT MY-SECRETS.json > MY-ENCRYPTED-SECRETS.json
The output file, MY-ENCRYPTED-SECRETS.json, is a definition of type solutionsecret:solutionSecret. Notice that it contains a name key whose value matches the name key in MY-SECRETS.json and a list of secrets. The list name matches the list name you specified in your sops config file (.sops.yaml). In our example, this list is named secrets, and it contains secrets named exactly as in your input JSON (MY-SECRETS.json). All the other information in the output file is just for sops.
Save an Encrypted JSON File in Your Solution
To add the sops output (the new solutionsecret:solutionSecret definition) to your solution manifest:
Move
MY-ENCRYPTED-SECRETS.jsonto<your-solution-directory>/secret/MY-ENCRYPTED-SECRETS.json.In the
objectsarray of<your-solution-directory>/manifest.json, tell the platform where all configurations of typesolutionsecret:solutionSecretare located:{ "name": "<solution-name>", "objects": [ { "type": "solutionsecret:solutionSecret", "objectsDir": "secret/MY-ENCRYPTED-SECRETS.json" } ] }
Reference an Encrypted JSON File in Your Solution
Now that you have a JSON file with encrypted secrets, and you've added this file to your solution manifest, this is how your solution's functions can access these secrets:
In your zodiac:function, add a secretEnvvarsV2 JSON object. For example:
{
"name": "my-func",
"image": "gcr.io/knative-samples/helloworld-go",
"secretEnvvarsV2": [
{
"envvarName": "MY_VAR_1",
"secretRef": "mySecretsObject/secret1"
},
{
"envvarName": "MY_VAR_2",
"secretRef": "mySecretsObject/secret2"
}
]
}
Now your function can refer to the secrets as MY_VAR_1 and MY_VAR_2.
Note: The unencrypted secrets are set as environment variables in the function.