Kapitan References (formally Secrets)
One of the motivations behing Kapitan's design is that we believe that everything about your setup should be tracked, and Kapitan takes this to the extreme. Sometimes, however, we have to manage values that we do not think they belong to the Inventory: perhaps they are either too variable (for instance, a Git commit sha that changes with every build) or too sensitive, like a password or a generic secret, and then they should always be encrypted.
Kapitan has a built in support for References, which you can use to manage both these use cases.
Kapitan References supports the following backends:
Backend | Description | Encrypted |
---|---|---|
plain |
Plain text, (e.g. commit sha) | |
base64 |
Base64, non confidential but with base64 encoding | |
gpg |
Support for https://gnupg.org/ | |
gkms |
GCP KMS | |
awskms |
AWS KMS | |
azkms |
Azure Key Vault | |
env |
Environment | |
vaultkv |
Hashicorp Vault (RO) | |
vaulttransit |
Hashicorp Vault (encrypt, decrypt, update_key, rotate_key) |
Setup
Some reference backends require configuration, both in the Inventory and to configure the actual backend.
Get started
If you want to get started with references but don't want to deal with the initial setup, you can use the plain
and base64
reference types. These are great for demos, but we will see they are extremely helpful even in Production environments.
Danger
Both plain
and base64
references do not support encryption: they are intended for development or demo purposes only.
DO NOT use plain
or base64
for storing sensitive information!
Backend configuration
Configuration for each backend varies, and it is perfomed by configuring the inventory under parameters.kapitan.secrets
.
No configuration needed
No configuration needed
parameters:
kapitan:
secrets:
gpg:
recipients:
- name: example@kapitan.dev
fingerprint: D9234C61F58BEB3ED8552A57E28DC07A3CBFAE7C
parameters:
kapitan:
secrets:
gkms:
key: 'projects/<project>/locations/<location>/keyRings/<keyRing>/cryptoKeys/<key>'
parameters:
kapitan:
secrets:
awskms:
key: 'alias/nameOfKey'
parameters:
kapitan:
secrets:
azkms:
key: 'https://<keyvault-name>.vault.azure.net/keys/<object-name>/<object-version>'
parameters:
...
mysql:
root_password: ?{env:targets/${target_name}/mysql/root_password}
...
parameters:
kapitan:
secrets:
vaultkv:
VAULT_ADDR: http://127.0.0.1:8200
auth: token
mount: secret
parameters:
kapitan:
secrets:
vaulttransit:
VAULT_ADDR: https://vault.example.com
VAULT_TOKEN: s.mqWkI0uB6So0aHH0v0jyDs97
VAULT_SKIP_VERIFY: "False" # Recommended
auth: token
mount: mytransit
key: 2022-02-13-test
Organize your configuration in classes
Just like any other inventory parameters, these configurations can be inherited from a common class or defined per target.
inventory/classes/common.yml
classes:
- security.backend
...
inventory/classes/security/backend.yml
parameters:
kapitan:
secrets:
<backend>: <configuration>
ADVANCED: Mix-and-Match backends
Remember that you can use multiple backends at the same time, and also use variable interpolation for an even greater flexibility.
In a multi-cloud setup, for instance, you could configure both GKMS
GCP configuration
inventory/classes/cloud/gcp.yml
classes:
- security.backends.gkms
...
inventory/classes/security/backends/gkms.yml
# Configuration for GCP targets
parameters:
backend: gkms
kapitan:
secrets:
gkms: <configuration>
AWS configuration
inventory/classes/security/backends/awskms.yml
# Configuration for AWS targets
parameters:
backend: awskms
kapitan:
secrets:
awskms: <configuration>
inventory/classes/cloud/aws.yml
classes:
- security.backends.awskms
...
Now because they both set the parameters.backend
variable, you can define a reference whose backend changes based on what class is assigned to the target
inventory/targets/cloud/gcp/acme.yml
classes:
- cloud.aws
parameters:
...
mysql:
# the secret backend will change based on the cloud assigned to this target
root_password: ?{${backend}:targets/${target_name}/mysql/root_password}
...
Define references
References can be defined in the inventory following the syntax spaces added for clarity:
?{
<backend_id>
:
<reference_path>
}
expand for advanced features
The syntax also supports for process functions and create_functions which we will discuss later, which brings the full syntax to
?{
<backend_id>
:
<reference_path>
}
|<process_function>
||<create_function>
parameters:
...
mysql:
root_password: ?{plain:targets/${target_name}/mysql/root_password}
...
not encrypted
This reference type does not support encryption: it is intended for non sensitive data only. DO NOT use plain
for storing sensitive information!
parameters:
...
mysql:
root_password: ?{base64:targets/${target_name}/mysql/root_password}
...
not encrypted
This reference type does not support encryption: it is intended for non sensitive data only. DO NOT use base64
for storing sensitive information!
parameters:
...
mysql:
root_password: ?{gpg:targets/${target_name}/mysql/root_password}
...
parameters:
...
mysql:
root_password: ?{gkms:targets/${target_name}/mysql/root_password}
...
parameters:
...
mysql:
root_password: ?{awskms:targets/${target_name}/mysql/root_password}
...
parameters:
...
mysql:
root_password: ?{azkms:targets/${target_name}/mysql/root_password}
...
parameters:
...
mysql:
root_password: ?{env:targets/${target_name}/mysql/root_password}
...
read-only
parameters:
...
mysql:
root_password: ?{vaultkv:targets/${target_name}/mysql/root_password}
...
parameters:
...
mysql:
root_password: ?{vaultkv:targets/${target_name}/mysql/root_password:mount:path/in/vault:mykey}
...
parameters:
...
mysql:
root_password: ?{vaulttransit:targets/${target_name}/mysql/root_password}
...
Assign a value
Manually
You can assign values to your reference using the command line. Both reading from a file and pipes are supported.
Please Note
Kapitan will fail compilation if a reference is not found. Please see how to assign a value automatically in the next section
kapitan refs --write plain:refs/targets/${TARGET_NAME}/mysql/root_password -t ${TARGET_NAME} -f <input file>
which also works with pipes
cat input_file | kapitan refs --write plain:refs/targets/${TARGET_NAME}/mysql/root_password -t ${TARGET_NAME} -f -
kapitan refs --write base64:refs/targets/${TARGET_NAME}/mysql/root_password -t ${TARGET_NAME} -f <input file>
which also works with pipes
cat input_file | kapitan refs --write base64:refs/targets/${TARGET_NAME}/mysql/root_password -t ${TARGET_NAME} -f -
kapitan refs --write gpg:refs/targets/${TARGET_NAME}/mysql/root_password -t ${TARGET_NAME} -f <input file>
which also works with pipes
cat input_file | kapitan refs --write gpg:refs/targets/${TARGET_NAME}/mysql/root_password -t ${TARGET_NAME} -f -
kapitan refs --write gkms:refs/targets/${TARGET_NAME}/mysql/root_password -t ${TARGET_NAME} -f <input file>
which also works with pipes
cat input_file | kapitan refs --write gkms:refs/targets/${TARGET_NAME}/mysql/root_password -t ${TARGET_NAME} -f -
kapitan refs --write vaulttransit:refs/targets/${TARGET_NAME}/mysql/root_password -t ${TARGET_NAME} -f <input file>
which also works with pipes
cat input_file | kapitan refs --write vaulttransit:refs/targets/${TARGET_NAME}/mysql/root_password -t ${TARGET_NAME} -f -
kapitan refs --write azkms:refs/targets/${TARGET_NAME}/mysql/root_password -t ${TARGET_NAME} -f <input file>
which also works with pipes
cat input_file | kapitan refs --write azkms:refs/targets/${TARGET_NAME}/mysql/root_password -t ${TARGET_NAME} -f -
Setting default value only
The env
backend works in a slightly different ways, as it allows you to reference environment variables at runtime.
For example, for a reference called {?env:targets/envs_defaults/mysql_port_${target_name}}
, Kapitan would look for an environment variable called KAPITAN_ENV_mysql_port_${TARGET_NAME}
.
If that variable cannot be found in the Kapitan environment, the default will be taken from the refs/targets/envs_defaults/mysql_port_${TARGET_NAME}
file instead.
kapitan refs --write env:refs/targets/envs_defaults/mysql_port_${TARGET_NAME} -t ${TARGET_NAME} -f <input file>
which also works with pipes
cat input_file | kapitan refs --write env:refs/targets/envs_defaults/mysql_port_${TARGET_NAME} -t ${TARGET_NAME} -f -
kapitan refs --write vaultkv:refs/targets/${TARGET_NAME}/mysql/root_password -t ${TARGET_NAME} -f <input file>
which also works with pipes
cat input_file | kapitan refs --write vaultkv:refs/targets/${TARGET_NAME}/mysql/root_password -t ${TARGET_NAME} -f -
This backend expects the value to be stored as a key:value
pair.
echo "a_key:a_value" | kapitan refs --write vaulttransit:refs/targets/${TARGET_NAME}/mysql/root_password -t ${TARGET_NAME} -f -
When reading from disk, the input file should be formatted accordingly.
Automatically
Kapitan has built in capabilities to initialise its references on creation, using an elegant combination of primary and secondary functions. This is extremely powerful because it allows for you to make sure they are always initialised with sensible values.
primary functions
To automate the creation of the reference, you can add one of the following primary functions to the reference tag by using the syntax ||primary_function:param1:param2
For instance, to automatically initialise a reference with a random string with a lenght of 32 characters, you can use the random
primary function
```yaml
parameters:
...
mysql:
root_password: ?{${backend}:targets/${target_name}/mysql/root_password||random:str:32}
...
```
Initialise non existent references
The first operator here ||
is more similar to a logical OR.
- If the reference file does not exist, Kapitan will use the function to initialise it
- If the reference file exists, no functions will run.
Automate secret rotation with ease
You can take advantage of it to implement easy rotation of secrets. Simply delete the reference files, and run kapitan compile
: let Kapitan do the rest.
Generator function for alphanumeric characters, will be url-token-safe
?{${backend}:targets/${target_name}/mysql/root_password||random:str}
generator function for digits (0-9)
?{${backend}:targets/${target_name}/mysql/root_password||random:int}
generator function for lowercase letters (a-z)
?{${backend}:targets/${target_name}/mysql/root_password||random:loweralpha}
generator function for uppercase letters (A-Z)
?{${backend}:targets/${target_name}/mysql/root_password||random:upperalpha}
generator function for lowercase letters and numbers (a-z and 0-9)
?{${backend}:targets/${target_name}/mysql/root_password||random:loweralphanum}
generator function for uppercase letters and numbers (A-Z and 0-9)
?{${backend}:targets/${target_name}/mysql/root_password||random:upperalphanum}
generator function for alphanumeric characters and given special characters
?{${backend}:targets/${target_name}/mysql/root_password||random:special}
Generates an RSA 4096 private key (PKCS#8). You can optionally pass the key size
?{${backend}:targets/${target_name}/private_key||rsa}
Generates a ed25519 private key (PKCS#8)
?{${backend}:targets/${target_name}/private_key||ed25519}
Derives the public key from a revealed private key
?{${backend}:targets/${target_name}/private_key||rsa}
?{${backend}:targets/${target_name}/public_key||reveal:targets/${target_name}/private_key|publickey}
DEPRECATED: use ||publickey
Generates a base64 encoded pair of username:password
?{${backend}:targets/${target_name}/apache_basicauth||basicauth:username:password}
Reveals the content of another reference, useful when deriving public keys or a reference requires a different encoding or the same value.
?{${backend}:targets/${target_name}/secret||random:str}
?{${backend}:targets/${target_name}/base64_secret||reveal:targets/${target_name}/secret|base64}
attention when rotating secrets used with reveal
If you use reveal to initialise a reference, like my_reference||reveal:source_reference
the my_reference
will not be automatically updated if source_reference
changes.
Please make sure you also re-initialise my_reference
correctly
secondary functions
base64 encodes your reference
?{${backend}:targets/${target_name}/secret||random:str|base64}
sha256 hashes your reference
param1
: salt
?{${backend}:targets/${target_name}/secret||random:str|sha256}
Reveal references
You can reveal the secrets referenced in the outputs of kapitan compile
via:
```shell
kapitan refs --reveal -f path/to/rendered/template
```
For example, compiled/minikube-mysql/manifests/mysql_secret.yml
with the following content:
```yaml
apiVersion: v1
data:
MYSQL_ROOT_PASSWORD: ?{gpg:targets/minikube-mysql/mysql/password:ec3d54de}
MYSQL_ROOT_PASSWORD_SHA256: ?{gpg:targets/minikube-mysql/mysql/password_sha256:122d2732}
kind: Secret
metadata:
annotations: {}
labels:
name: example-mysql
name: example-mysql
namespace: minikube-mysql
type: Opaque
```
can be revealed as follows:
```shell
kapitan refs --reveal -f compiled/minikube-mysql/manifests/mysql_secret.yml
```
This will substitute the referenced secrets with the actual decrypted secrets stored at the referenced paths and display the file content.
You can also use:
```shell
kapitan refs --reveal --ref-file refs/targets/all-glob/mysql/password
```
or
```shell
kapitan refs --reveal --tag "?{base64:targets/all-glob/mysql/password}"
# or
kapitan refs --reveal --tag "?{base64:targets/all-glob/mysql/password:3192c15c}"
```
for more convenience.
Embedded refs
Please refer to the CLI reference for more details.
YAML SubVars References
Kapitan is also able to use access specific keys in YAML content by using subvars.
For instance given a reference plain:larder
with content:
```yaml
food:
apples: 1
```
I could now have an inventory variable like:
```yaml
parameters:
number_of_apples: ?{plain:larder@food.apple}
```
Using subvars
to ingest yaml from command line tools
Subvars can have a very practical use for storing YAML outputs coming straight from other tools. For instance, I could use the GCP gcloud
command to get all the information about a cluster, and write it into a reference
```shell
gcloud container clusters describe \
--project ${TARGET_NAME}-project \
gke-cluster --zone europe-west1 --format yaml \
| kapitan refs --write plain:clusters/${TARGET_NAME}/cluster -t ${TARGET_NAME} -f -
```
knowing the output of gcloud
to produce yaml that contain the following values:
```yaml
...
name: gke-cluster
releaseChannel:
channel: REGULAR
selfLink: https://container.googleapis.com/v1/projects/kapicorp/locations/europe-west1/clusters/gke-cluster
...
```
I can not reference the link to the cluster in the inventory using:
```yaml
parameters:
cluster:
name: ?{plain:clusters/${target_name}/cluster@name}
release_channel: ?{plain:clusters/${target_name}/cluster@releaseChannel.channel}
link: ?{plain:clusters/${target_name}/cluster@selfLink}
```
Combined with a Jinja template, I could write automatically documentation containing the details of the clusters I use.
```text
{% set p = inventory.parameters %}
# Documentation for {{p.target_name}}
Cluster [{{p.cluster.name}}]({{p.cluster.link}}) has release channel {{p.cluster.release_channel}}
```
Hashicorp Vault
vaultkv
Considering a key-value pair like my_key
:my_secret
in the path secret/foo/bar
in a kv-v2(KV version 2) secret engine on the vault server, to use this as a secret use:
```shell
echo "foo/bar:my_key" | kapitan refs --write vaultkv:path/to/secret_inside_kapitan -t <target_name> -f -
```
To write a secret in the vault with kapitan use a ref tag with following structure:
```yaml
parameters:
...
secret:
my_secret: ?{vaultkv:targets/${target_name}/mypath:mount:path/in/vault:mykey||<functions>}
...
```
Leave mount
empty to use the specified mount from vault params from the inventory (see below). Same applies to the path/in/vault
where the ref path in kapitan gets taken as default value.
Parameters in the secret file are collected from the inventory of the target we gave from CLI -t <target_name>
. If target isn't provided then kapitan will identify the variables from the environment when revealing secret.
The environment variables which can also be defined in kapitan inventory are VAULT_ADDR
, VAULT_NAMESPACE
, VAULT_SKIP_VERIFY
, VAULT_CLIENT_CERT
, VAULT_CLIENT_KEY
, VAULT_CAPATH
& VAULT_CACERT
.
Note that providing these variables through the inventory in envvar style is deprecated.
Users should update their inventory to set these values in keys without the VAULT_
prefix and in all lowercase.
For example VAULT_ADDR: https://127.0.0.1:8200
should be given as addr: https://127.0.0.1:8200
in the inventory.
Please note that configuring one of these values in both kapitan.secrets.vaultkv
in the inventory and in the environment will cause a validation error.
Extra parameters that can be defined in inventory are:
auth
: specify which authentication method to use liketoken
,userpass
,ldap
,github
&approle
mount
: specify the mount point of key's path. e.g if path=alpha-secret/foo/bar
thenmount: alpha-secret
(defaultsecret
)engine
: secret engine used, eitherkv-v2
orkv
(defaultkv-v2
)
The environment variables which cannot be defined in inventory are VAULT_TOKEN
,VAULT_USERNAME
,VAULT_PASSWORD
,VAULT_ROLE_ID
,VAULT_SECRET_ID
.
```yaml
parameters:
kapitan:
secrets:
vaultkv:
auth: userpass
engine: kv-v2
mount: team-alpha-secret
addr: http://127.0.0.1:8200
namespace: CICD-alpha
skip_verify: false
client_key: /path/to/key
client_cert: /path/to/cert
```
vaulttransit
Considering a key-value pair like my_key
:my_secret
in the path secret/foo/bar
in a transit secret engine on the vault server, to use this as a secret use:
```shell
echo "any.value:whatever-you_may*like" | kapitan refs --write vaulttransit:my_target/to/secret_inside_kapitan -t <target_name> -f -
```
Parameters in the secret file are collected from the inventory of the target we gave from CLI -t <target_name>
. If target isn't provided then kapitan will identify the variables from the environment when revealing secret.
Environment variables that can be defined in kapitan inventory are VAULT_ADDR
, VAULT_NAMESPACE
, VAULT_SKIP_VERIFY
, VAULT_CLIENT_CERT
, VAULT_CLIENT_KEY
, VAULT_CAPATH
& VAULT_CACERT
.
Extra parameters that can be defined in inventory are:
auth
: specify which authentication method to use liketoken
,userpass
,ldap
,github
&approle
mount
: specify the mount point of key's path. e.g if path=my_mount
(defaulttransit
)crypto_key
: Name of theencryption key
defined in vault-
always_latest
: Always rewrap ciphertext to latest rotated crypto_key version Environment variables cannot be defined in inventory areVAULT_TOKEN
,VAULT_USERNAME
,VAULT_PASSWORD
,VAULT_ROLE_ID
,VAULT_SECRET_ID
.parameters: kapitan: vars: target: my_target namespace: my_namespace secrets: vaulttransit: VAULT_ADDR: http://vault.example.com:8200 VAULT_TOKEN: s.i53a1DL83REM61UxlJKLdQDY VAULT_SKIP_VERIFY: "True" auth: token mount: transit crypto_key: new_key always_latest: False parameters: target_name: secrets kapitan: secrets: vaulttransit: VAULT_ADDR: http://127.0.0.1:8200 VAULT_TOKEN: s.i53a1DL83REM61UxlJKLdQDY VAULT_SKIP_VERIFY: "True" auth: token mount: transit crypto_key: key always_latest: False
Azure KMS Secret Backend
To encrypt secrets using keys stored in Azure's Key Vault, a key_id
is required to identify an Azure key object uniquely.
It should be of the form https://{keyvault-name}.vault.azure.net/{object-type}/{object-name}/{object-version}
.
Defining the KMS key
This is done in the inventory under parameters.kapitan.secrets
.
```yaml
parameters:
kapitan:
vars:
target: ${target_name}
namespace: ${target_name}
secrets:
azkms:
key: 'https://<keyvault-name>.vault.azure.net/keys/<object-name>/<object-version>'
```
The key can also be specified using the --key
flag
Creating a secret
Secrets can be created using any of the methods described in the "creating your secret" section.
For example, if the key is defined in the prod
target file
```shell
echo "my_encrypted_secret" | kapitan refs --write azkms:path/to/secret_inside_kapitan -t prod -f -
```
Using the --key
flag and a key_id
```shell
echo "my_encrypted_secret" | kapitan refs --write azkms:path/to/secret_inside_kapitan --key=<key_id> -f -
```
Referencing and revealing a secret
Secrets can be referenced and revealed in any of the ways described above.
For example, to reveal the secret stored at path/to/secret_inside_kapitan
```shell
kapitan refs --reveal --tag "?{azkms:path/to/secret_inside_kapitan}"
```
Note: Cryptographic algorithm used for encryption is rsa-oaep-256.