integrations
path: secret-management/integrations.mdx title: Integraciones con CI/CD e infraestructura slug: /secret-management/integrations pagination_next: secret-management/zero-knowledge pagination_prev: secret-management/rotation sidebar_position: 6 description: >- Escenarios de integración de Passwork con GitLab CI, GitHub Actions y Kubernetes utilizando la imagen Docker de CLI. keywords:
- Passwork
- CI/CD
- GitLab CI
- GitHub Actions
- Kubernetes
- Docker
Descripción general
Passwork se integra con plataformas de CI/CD a través de passwork-cli. El patrón típico es el siguiente:
CI/CD Runner ──► passwork-cli exec ──► Deploy script with secrets in ENV
| Plataforma | Método de integración |
|---|---|
| GitLab CI | Imagen Docker passwork/passwork-cli como imagen del trabajo |
| GitHub Actions | Contenedor Docker mediante docker run |
| Bitbucket Pipelines | Imagen Docker en un pipe |
| Kubernetes | Contenedor init o sidecar |
GitLab CI
Ejemplo básico
stages:
- deploy
deploy_prod:
stage: deploy
image: passwork/passwork-cli:latest
variables:
PASSWORK_HOST: $PASSWORK_HOST
PASSWORK_TOKEN: $PASSWORK_TOKEN
PASSWORK_MASTER_KEY: $PASSWORK_MASTER_KEY
script:
- passwork-cli exec --folder-id "$SECRETS_FOLDER_ID" ./deploy.sh
Configuración de variables
En Settings → CI/CD → Variables, añada:
| Variable | Tipo | Protegida | Enmascarada |
|---|---|---|---|
PASSWORK_HOST | Variable | Sí | No |
PASSWORK_TOKEN | Variable | Sí | Sí |
PASSWORK_MASTER_KEY | Variable | Sí | Sí |
SECRETS_FOLDER_ID | Variable | Sí | No |
Múltiples entornos
.deploy_template: &deploy_template
image: passwork/passwork-cli:latest
variables:
PASSWORK_HOST: $PASSWORK_HOST
PASSWORK_TOKEN: $PASSWORK_TOKEN
PASSWORK_MASTER_KEY: $PASSWORK_MASTER_KEY
script:
- passwork-cli exec --folder-id "$SECRETS_FOLDER_ID" ./deploy.sh
deploy_staging:
<<: *deploy_template
stage: deploy
variables:
SECRETS_FOLDER_ID: $STAGING_SECRETS_FOLDER_ID
environment:
name: staging
deploy_production:
<<: *deploy_template
stage: deploy
variables:
SECRETS_FOLDER_ID: $PROD_SECRETS_FOLDER_ID
environment:
name: production
when: manual
GitHub Actions
Ejemplo básico
name: Deploy
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Deploy with secrets
run: |
docker run --rm \
-e PASSWORK_HOST="${{ secrets.PASSWORK_HOST }}" \
-e PASSWORK_TOKEN="${{ secrets.PASSWORK_TOKEN }}" \
-e PASSWORK_MASTER_KEY="${{ secrets.PASSWORK_MASTER_KEY }}" \
-v ${{ github.workspace }}:/app \
-w /app \
passwork/passwork-cli:latest \
exec --folder-id "${{ vars.SECRETS_FOLDER_ID }}" ./deploy.sh
Configuración de secretos
En Settings → Secrets and variables → Actions:
- Secrets:
PASSWORK_HOST,PASSWORK_TOKEN,PASSWORK_MASTER_KEY - Variables:
SECRETS_FOLDER_ID
Múltiples entornos
jobs:
deploy:
runs-on: ubuntu-latest
environment: ${{ github.ref == 'refs/heads/main' && 'production' || 'staging' }}
steps:
- uses: actions/checkout@v4
- name: Deploy
run: |
docker run --rm \
-e PASSWORK_HOST="${{ secrets.PASSWORK_HOST }}" \
-e PASSWORK_TOKEN="${{ secrets.PASSWORK_TOKEN }}" \
-e PASSWORK_MASTER_KEY="${{ secrets.PASSWORK_MASTER_KEY }}" \
-v ${{ github.workspace }}:/app \
-w /app \
passwork/passwork-cli:latest \
exec --folder-id "${{ vars.SECRETS_FOLDER_ID }}" ./deploy.sh
Bitbucket Pipelines
image: passwork/passwork-cli:latest
pipelines:
branches:
main:
- step:
name: Deploy to production
deployment: production
script:
- passwork-cli exec --folder-id "$SECRETS_FOLDER_ID" ./deploy.sh
Configure las variables en Repository settings → Pipelines → Repository variables.
Kubernetes
Contenedor init
Un contenedor init obtiene los secretos antes de que la aplicación principal se inicie:
apiVersion: v1
kind: Pod
metadata:
name: order-service
spec:
initContainers:
- name: fetch-secrets
image: passwork/passwork-cli:latest
env:
- name: PASSWORK_HOST
valueFrom:
secretKeyRef:
name: passwork-credentials
key: host
- name: PASSWORK_TOKEN
valueFrom:
secretKeyRef:
name: passwork-credentials
key: token
- name: PASSWORK_MASTER_KEY
valueFrom:
secretKeyRef:
name: passwork-credentials
key: master-key
command:
- sh
- -c
- |
passwork-cli exec --folder-id "$SECRETS_FOLDER_ID" env > /secrets/.env
volumeMounts:
- name: secrets-volume
mountPath: /secrets
containers:
- name: app
image: order-service:latest
command:
- sh
- -c
- |
set -a && source /secrets/.env && set +a
exec ./app
volumeMounts:
- name: secrets-volume
mountPath: /secrets
readOnly: true
volumes:
- name: secrets-volume
emptyDir:
medium: Memory
Sidecar para actualización periódica
Un sidecar actualiza los secretos después de la rotación sin reiniciar el pod:
apiVersion: v1
kind: Pod
metadata:
name: order-service-with-sidecar
spec:
containers:
- name: app
image: order-service:latest
# App reloads /secrets/.env when it changes
- name: secrets-sync
image: passwork/passwork-cli:latest
env:
- name: PASSWORK_HOST
valueFrom:
secretKeyRef:
name: passwork-credentials
key: host
# ... other variables
command:
- sh
- -c
- |
while true; do
passwork-cli exec --folder-id "$SECRETS_FOLDER_ID" env > /secrets/.env.new
mv /secrets/.env.new /secrets/.env
sleep 300 # refresh every 5 minutes
done
volumeMounts:
- name: secrets-volume
mountPath: /secrets
volumes:
- name: secrets-volume
emptyDir:
medium: Memory
Por qué centralizar los secretos
| Aspecto | Sin Passwork | Con Passwork |
|---|---|---|
| Almacenamiento | Disperso en variables de CI | Centralizado en Passwork |
| Rotación | Actualizar cada sistema por separado | Actualizar una vez en Passwork |
| Auditoría | Registros dispersos en plataformas | Un solo registro de auditoría en Passwork |
| Control de acceso | Configurar en cada sistema | RBAC en Passwork |
tip
Mantenga solo las credenciales de conexión a Passwork (PASSWORK_HOST, PASSWORK_TOKEN, PASSWORK_MASTER_KEY) en su sistema de CI. Almacene todo lo demás en Passwork.