CI/CD- und Infrastruktur-Integrationen
Übersicht
Passwork integriert sich über passwork-cli in CI/CD-Plattformen. Das typische Muster sieht wie folgt aus:
CI/CD Runner ──► passwork-cli exec ──► Deploy script with secrets in ENV
| Plattform | Integrationsmethode |
|---|---|
| GitLab CI | Docker-Image passwork/passwork-cli als Job-Image |
| GitHub Actions | Docker-Container über docker run |
| Bitbucket Pipelines | Docker-Image in einer pipe |
| Kubernetes | Init-Container oder Sidecar |
GitLab CI
Grundlegendes Beispiel
stages:
- deploy
deploy_prod:
stage: deploy
image: passwork/passwork-cli:latest
variables:
PASSWORK_HOST: $PASSWORK_HOST
PASSWORK_TOKEN: $PASSWORK_TOKEN
PASSWORK_MASTER_KEY: $PASSWORK_MASTER_KEY
script:
- passwork-cli exec --folder-id "$SECRETS_FOLDER_ID" ./deploy.sh
Variablen einrichten
Unter Settings → CI/CD → Variables fügen Sie hinzu:
| Variable | Typ | Geschützt | Maskiert |
|---|---|---|---|
PASSWORK_HOST | Variable | Ja | Nein |
PASSWORK_TOKEN | Variable | Ja | Ja |
PASSWORK_MASTER_KEY | Variable | Ja | Ja |
SECRETS_FOLDER_ID | Variable | Ja | Nein |
Mehrere Umgebungen
.deploy_template: &deploy_template
image: passwork/passwork-cli:latest
variables:
PASSWORK_HOST: $PASSWORK_HOST
PASSWORK_TOKEN: $PASSWORK_TOKEN
PASSWORK_MASTER_KEY: $PASSWORK_MASTER_KEY
script:
- passwork-cli exec --folder-id "$SECRETS_FOLDER_ID" ./deploy.sh
deploy_staging:
<<: *deploy_template
stage: deploy
variables:
SECRETS_FOLDER_ID: $STAGING_SECRETS_FOLDER_ID
environment:
name: staging
deploy_production:
<<: *deploy_template
stage: deploy
variables:
SECRETS_FOLDER_ID: $PROD_SECRETS_FOLDER_ID
environment:
name: production
when: manual
GitHub Actions
Grundlegendes Beispiel
name: Deploy
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Deploy with secrets
run: |
docker run --rm \
-e PASSWORK_HOST="${{ secrets.PASSWORK_HOST }}" \
-e PASSWORK_TOKEN="${{ secrets.PASSWORK_TOKEN }}" \
-e PASSWORK_MASTER_KEY="${{ secrets.PASSWORK_MASTER_KEY }}" \
-v ${{ github.workspace }}:/app \
-w /app \
passwork/passwork-cli:latest \
exec --folder-id "${{ vars.SECRETS_FOLDER_ID }}" ./deploy.sh
Secrets einrichten
Unter Settings → Secrets and variables → Actions:
- Secrets:
PASSWORK_HOST,PASSWORK_TOKEN,PASSWORK_MASTER_KEY - Variables:
SECRETS_FOLDER_ID
Mehrere Umgebungen
jobs:
deploy:
runs-on: ubuntu-latest
environment: ${{ github.ref == 'refs/heads/main' && 'production' || 'staging' }}
steps:
- uses: actions/checkout@v4
- name: Deploy
run: |
docker run --rm \
-e PASSWORK_HOST="${{ secrets.PASSWORK_HOST }}" \
-e PASSWORK_TOKEN="${{ secrets.PASSWORK_TOKEN }}" \
-e PASSWORK_MASTER_KEY="${{ secrets.PASSWORK_MASTER_KEY }}" \
-v ${{ github.workspace }}:/app \
-w /app \
passwork/passwork-cli:latest \
exec --folder-id "${{ vars.SECRETS_FOLDER_ID }}" ./deploy.sh
Bitbucket Pipelines
image: passwork/passwork-cli:latest
pipelines:
branches:
main:
- step:
name: Deploy to production
deployment: production
script:
- passwork-cli exec --folder-id "$SECRETS_FOLDER_ID" ./deploy.sh
Konfigurieren Sie Variablen unter Repository settings → Pipelines → Repository variables.
Kubernetes
Init-Container
Ein Init-Container ruft Geheimnisse ab, bevor die Hauptanwendung startet:
apiVersion: v1
kind: Pod
metadata:
name: order-service
spec:
initContainers:
- name: fetch-secrets
image: passwork/passwork-cli:latest
env:
- name: PASSWORK_HOST
valueFrom:
secretKeyRef:
name: passwork-credentials
key: host
- name: PASSWORK_TOKEN
valueFrom:
secretKeyRef:
name: passwork-credentials
key: token
- name: PASSWORK_MASTER_KEY
valueFrom:
secretKeyRef:
name: passwork-credentials
key: master-key
command:
- sh
- -c
- |
passwork-cli exec --folder-id "$SECRETS_FOLDER_ID" env > /secrets/.env
volumeMounts:
- name: secrets-volume
mountPath: /secrets
containers:
- name: app
image: order-service:latest
command:
- sh
- -c
- |
set -a && source /secrets/.env && set +a
exec ./app
volumeMounts:
- name: secrets-volume
mountPath: /secrets
readOnly: true
volumes:
- name: secrets-volume
emptyDir:
medium: Memory
Sidecar für periodische Aktualisierung
Ein Sidecar aktualisiert Geheimnisse nach der Rotation, ohne den Pod neu zu starten:
apiVersion: v1
kind: Pod
metadata:
name: order-service-with-sidecar
spec:
containers:
- name: app
image: order-service:latest
# App reloads /secrets/.env when it changes
- name: secrets-sync
image: passwork/passwork-cli:latest
env:
- name: PASSWORK_HOST
valueFrom:
secretKeyRef:
name: passwork-credentials
key: host
# ... other variables
command:
- sh
- -c
- |
while true; do
passwork-cli exec --folder-id "$SECRETS_FOLDER_ID" env > /secrets/.env.new
mv /secrets/.env.new /secrets/.env
sleep 300 # refresh every 5 minutes
done
volumeMounts:
- name: secrets-volume
mountPath: /secrets
volumes:
- name: secrets-volume
emptyDir:
medium: Memory
Warum Geheimnisse zentralisieren
| Aspekt | Ohne Passwork | Mit Passwork |
|---|---|---|
| Speicherung | Verstreut über CI-Variablen | Zentralisiert in Passwork |
| Rotation | Jedes System separat aktualisieren | Einmal in Passwork aktualisieren |
| Audit | Protokolle über Plattformen verteilt | Einheitliches Audit-Protokoll in Passwork |
| Zugriffskontrolle | In jedem System konfigurieren | RBAC in Passwork |
tipp
Speichern Sie nur die Passwork-Verbindungsanmeldedaten (PASSWORK_HOST, PASSWORK_TOKEN, PASSWORK_MASTER_KEY) in Ihrem CI-System. Speichern Sie alles andere in Passwork.