The client credentials, database passwords, access tokens are considered as secrets and they are usually kept in a vault. CatenaX have a central Hashicorp vault component to store these types of secrets and credentails to prevant from revealing them in a public source code repository to ensure security. These secrets are then utilized by Kubernetes resources through helm charts in a safe and secure manner.
At the time of writing this guide, ArgoCD was used to deploy the application. It accesses the secrets through its built-in vault plugins which solves the secret management issues with GitOps. Vault plugin internally uses a special vault token for authentication, retrieve actual secret values against their keys and subsitute them in a deployment.
Further read about ArgoCD valut plugin here: ArgoCD vault plugin
MaterialPass team is allocated a vault space at HashiCorp Vault - Material Pass .
To access a material pass vault space, a vault token is required
Vault contents:
- edc/oauth#api.key
- edc/participant#bpnNumber
- backend/#signKey
- backend#clientId
- backend#clientSecret
- oauth#realm
- oauth#appId
- oauth#xApiKey
To put a secret from vault, a special pattern is followed in helm values files:
<path:some/path#secret-key#version>Some examples below:
<path:material-pass/data/int/edc/vault#vault.hashicorp.url>
<path:material-pass/data/int/edc/vault#vault.hashicorp.url#1>Note: /data/ path is always be placed after material-pass, though it is not defined in a vault directory structure. AVP uses this data path itself internally.
To use a vault and create new secret, please look here: how to-use vault create a secret
If dpp frontend is run using docker, the following environment variables must be set in build and deploy script:
- APP_VERSION
- APP_API_MAX_RETRIES
- API_SEARCH_TIMEOUT
- API_NEGOTIATE_TIMEOUT
- API_DECLINE_TIMEOUT
- APP_API_DELAY
- REPO_COMMIT_ID
- REPO_ENDPOINT_URL
- AUTH_ROLE_CHECK
- AUTH_BPN_CHECK
- AUTH_BPN_NUMBER
- APP_PORTAL_URL
- APP_ADMIN_EMAIL
- APP_AUTO_SIGN
- IDENTITY_PROVIDER_URL
- HOST_URL
- DATA_URL
- KEYCLOAK_CLIENTID
- KEYCLOAK_REALM
- KEYCLOAK_ONLOAD
# run script
../buildAndDeploy.sh consumer-uiThe required variables must be set in values-*.yaml file manually.
Further info about vault plugin for helm charts: argocd-vault-plugin-helm
Veracode upload-and-scan is used for secret scanning and scan results are then published in veracode dashboard once job is completed Static Application Serucity Testing
Git Guardian tool is used to scan secrets within application. It is currently active in the repository and managed by SEC team.
A client side git hook that runs prior to commit code changes.
A client-side git hook similar to pre-commit hook that runs right before code changes are pushed to a remote origin.
GitGuardian hooks are performed through ggshield utility. ggshield is a wrapper around GitGuardian API for secrets detection that requires an API key to work. Please refer the official documentation for more information here
- Setting up Git Guradian for the project: gitguardian-shield
- The git hooks for the repository: yaml file
- Release Guidelines requirements: here
This work is licensed under the Apache-2.0.
- SPDX-License-Identifier: Apache-2.0
- SPDX-FileCopyrightText: 2022, 2024 BMW AG, Henkel AG & Co. KGaA
- SPDX-FileCopyrightText: 2023, 2024 CGI Deutschland B.V. & Co. KG
- SPDX-FileCopyrightText: 2023 Contributors to the Eclipse Foundation
- Source URL: https://github.com/eclipse-tractusx/digital-product-pass