Secrets Plugin
Cloudify Utilities: Secrets
Description
This plugin adds support for create, read, update and delete operation for complex secrets from the blueprint level.
It is often needed to switch between few DCs during resources provisioning. For instance we may have to provision the same blueprint as 3 deployment in 3 different data centers with Openstack. So far we needed to e.g. add prefix or suffix to each of secrets being a parts of openstack_config. To change credentials (data center location) and make new deployment we needed to change secret key prefix / suffix manually in the blueprint (get_secret intrinsic function invocations).
Secrets plugin can do this automatically - you need only to specify name of DC location.
With secrets plugin you can:
- Perform CRUD operation on secrets from the blueprint.
- Read / write complex structures (dictionaries) as one secret (JSON serialization).
- Switch dynamically between few variants of the same secret (credentials, data center locations related params etc.).
Node types
cloudify.nodes.secrets.Writer
Node responsible for performing CUD operations on the set of secrets.
Properties:
- entries - dictionary with keys being secret names and values being secret value. Secret value may be: dict, list, string, boolean, integer Complex types as: dict and list will be serialized to JSON.
- variant - [OPTIONAL] suffix used to determine variant of secrets (e.g. DC location for credentials secret).
- separator - [OPTIONAL] characters used to separate proper secret name and its variant.
- do_not_delete - [OPTIONAL] it set to true - already created secrets won’t be deleted on uninstall.
Runtime properties:
- data - dictionary containing Secrets API responses for each already created secret.
- do_not_delete
cloudify.nodes.secrets.Reader
Node responsible for performing R operation on the set of secrets.
Properties:
- keys - list of secrets names which values will be retrieved.
- variant - [OPTIONAL] suffix used to determine variant of secrets (e.g. DC location for credentials secret).
- separator - [OPTIONAL]* characters used to separate proper secret name and its variant.
Runtime properties:
- data - dictionary containing Secrets API responses for each secret name specified in keys property.
Examples
Both examples show how plugin works:
-
List current secrets:
cfy secrets list
-
Install write example blueprint:
cfy install write-secret-blueprint.yaml -b write_secrets_test
-
Check already created secrets:
cfy secrets list
For each secret execute:
cfy secrets get <secret name>
-
Install read example blueprint
cfy install read-secret-blueprint.yaml -b read_secrets_test -vv
-
Check outputs of read example deployment (should contain some secrets dump)
cfy deployments outputs read_secrets_test
-
Uninstall read example deployment
cfy uninstall read_secrets_test
-
Uninstall read example deployment
cfy uninstall write_secrets_test
-
Check secrets - notice that secrets with do_not_delete flag set should still be present
cfy secrets list
-
Delete these secrets
cfy secrets delete openstack_config__lab1_tenantA cfy secrets delete openstack_config__lab1_tenantB cfy secrets delete openstack_config__lab2_tenantA