Secrets management

CG DevX manages secrets (platform and workloads), and provides SSO functionality by using the secrets management provider (Hashicorp Vault by default) OIDC capabilities The secrets module is defined in /terraform/secrets/main.tf.

The secrets management module securely stores a set of parameters required to "execute" (plan and apply changes) terraform by PR Automation (Atlantis):

• cluster_name: K8s cluster name
• workloads: Workloads definitions loaded from the workloads.tfvars.json file
• vcs_bot_ssh_public_key: Git machine user SSH public key, generated by CLI
• vcs_bot_ssh_private_key: Git machine user SSH private key, generated by CLI
• vcs_token: Git access token
• atlantis_repo_webhook_secret: IaC PR automation webhook secret
• atlantis_repo_webhook_url: IaC PR automation webhook URL
• vault_token: Secrets Manager root access token
• cluster_endpoint: K8s cluster control plane endpoint
• cluster_ssh_public_key: SSH key used to access K8s nodes when possible, auto generated by CLI, cloud-provider-specific
• tf_backend_storage_access_key: Access key for IaC storage backend, limited to specific cloud providers

The secrets management module uses workload definitions to manage per-workload secret spaces and access. Definitions are provided using the workloads variable passed via the terraform.tfvars.json file.

Below is an example of a terraform.tfvars.json file containing one workload called demo-workload.

{
  "workloads": {
    "demo-workload": {
      "description": "CG DevX Demo-Workload workload definition"
    }
  }
}