Once Upon a Secret
TL;DR
Challenges in consistent property file structure
One of our amazing clients, who utilises MuleSoft, recently transitioned to a new YAML property file. This file serves a dual purpose, supporting both local development and Helm deployments by providing properties as environment variables to applications running on Azure Kubernetes Service (AKS). Our key challenge was to maintain a consistent structure and key naming convention across the property files.
Acknowledging the security risk
The YAML file contained a mix of application properties and sensitive credentials. For AKS deployments, we prioritised security by tokenizing and replacing credentials with Azure Key Vault secrets. However, for local development (without the benefit of Azure DevOps), a separate YAML file with unencrypted secrets and credentials was used. Historically, these 'development' secrets were stored in a GitHub repository, which posed a security risk and conflicted with our client's policies.
Keeping plain text secrets out of GitHub
To address this, we implemented a solution that combined Mozilla SOPS (Secrets Operations) and Azure Key Vault. This approach enhanced security while minimising disruptions to the development experience, ensuring that sensitive information remained safeguarded across teams.
Once upon a secret
Once upon a time there was a big online retailer. They sold lots of clothes and had many happy developers in many villages. But one naughty team of villagers had to use a slightly different tech stack, but that's not why they were naughty, oh no; they were putting all the secret non prod words in the special Git Well, where all their special magic code lived.
They hid this from the great overseers, The Sect of SecDev, until one day the Arch Architect decided to change the structure of property files so that they would look the same, both for Helm the Great application deployer and all the locals who just wanted to look at the files in their own village so they could develop quickly.
However, one of the minions from the Sect of SecDev found out about the local secrets the villagers were keeping in the Git Well and grew angry.
"Why are you keeping the secrets so that all can see?" the Minion spewed.
One of the villagers simpered, "Please, oh secure one, we only keep 'not so important' secrets in the Well". But the Minion knew that such talk was heresy, for the secrets could open the bridges to the Great Clouds, and understood that the path to production could be found if the Dark Hackers so wished. "Silence fool!" he bellowed, "You have 7 star rises to remedy this abomination."
So the villagers sought the help of the Arch Architect, who took pity on them, and came up with a plan that would leverage the power of the Great Clouds but also help the villagers to secure their magic code words and still work quickly.
The Arch Architect toiled, but found the Secrets Operations (SOPS). She knew that code words could be made secret using SOPS but still the answer of how to share the keys among the villagers vexed her so. Thus she remembered one of the Great Clouds that the Minion of SecDev worshipped… for that cloud had an Azure vault of keys!
She knew the vault would only trust villagers that were made known to it. The villagers would never see the key but she knew that SOPS (who could speak the vault of keys) would be able to make the special words of development secrets.
The villagers rejoiced, for they predicted hardship if they could not see their words in the Git Well, but they knew this path to be the righteous one, and that the Azure vault of keys and SOPS would be a harmonious relationship.
The Sect of Sect dev was appeased, the Arch Architect found new peace, and the villagers continued to develop magical code, and help sell many, many items of clothing.
