Integrating Habitus secrets with Skycap


Habitus is a great tool for securely managing secrets during builds (among other things). If you'd like to integrate your existing Habitus build flow into a Skycap application, you need to ensure the conditions below are met.

If you’re not an existing Habitus user, you’ll need to read through its documentation to fully understand the purpose and power of the tool.

1. Explicitly define secrets as Habitus environment variables

Your application (or service) must define any secrets you want to access as environment variables (ENV vars) with the format: HABITUS_ + ENV key. For example to access the secret with the key MY_SECRET you need to set an environment variable of HABITUS_MY_SECRET.

Smart Habitus variables

Adding any variables with the HABITUS_ prefix will signal Skycap to automatically start Habitus in secret-serving mode.

2. Specify your secrets in your build.yml

Your build.yml file needs to specify the secrets that you want to be available during the build. For example the secret MY_SECRET defined above would be specified like this:

 version: 2016-03-14 
   name: builder 
   dockerfile: Dockerfile 
   no_cache: true 
     type: env 
     value: MY_SECRET

3. Call your secrets from your Dockerfile

Your Dockerfile can now securely call and use secrets via ARG and $ statements. For example:

ARG habitus_host
ARG habitus_port
ARG habitus_password
ARG habitus_user
RUN curl -s -u $habitus_user:$habitus_password http://$habitus_host:$habitus_port/v1/secrets/env/my_secret # && do something with secret && remove the secret

Use a single operation

You should pull the secret from Habitus, use it and then remove it all as part of the same operation. Doing it this way will mean that your secret will not be embedded into your resulting image.