Habitus is a great tool for securely managing secrets during builds (among other things). If you'd like to integrate your existing Habitus build flow into a Skycap application, you need to ensure the conditions below are met.
If you’re not an existing Habitus user, you’ll need to read through its documentation to fully understand the purpose and power of the tool.
1. Explicitly define secrets as Habitus environment variables
Your application (or service) must define any secrets you want to access as environment variables (ENV vars) with the format: HABITUS_ + ENV key. For example to access the secret with the key
MY_SECRET you need to set an environment variable of
Smart Habitus variables
Adding any variables with the
HABITUS_ prefix will signal Skycap to automatically start Habitus in secret-serving mode.
2. Specify your secrets in your build.yml
build.yml file needs to specify the secrets that you want to be available during the build. For example the secret
MY_SECRET defined above would be specified like this:
build: version: 2016-03-14 steps: builder: name: builder dockerfile: Dockerfile no_cache: true secrets: my_secret: type: env value: MY_SECRET
3. Call your secrets from your Dockerfile
Your Dockerfile can now securely call and use secrets via
$ statements. For example:
ARG habitus_host ARG habitus_port ARG habitus_password ARG habitus_user RUN curl -s -u $habitus_user:$habitus_password http://$habitus_host:$habitus_port/v1/secrets/env/my_secret # && do something with secret && remove the secret
Use a single operation
You should pull the secret from Habitus, use it and then remove it all as part of the same operation. Doing it this way will mean that your secret will not be embedded into your resulting image.