Skip to content

Commit

Permalink
Added installation guide
Browse files Browse the repository at this point in the history
  • Loading branch information
bdpiprava committed Nov 15, 2019
1 parent bef2f44 commit 90acf6e
Show file tree
Hide file tree
Showing 2 changed files with 56 additions and 60 deletions.
50 changes: 50 additions & 0 deletions INSTALL.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# AWS Secrets Manager plugin for GoCD

The plugin needs to be configured with a secret config in order to connect to AWS Secrets Manager.

Table of Contents
=================

* [Requirements](#requirements)
* [Installation](#installation)
* [Configuration](#configure-the-plugin-to-access-secrets-from-aws)
* [Using secrets](#using-secrets)


## Requirements

* GoCD server version `v19.6.0` or above
* AWS credentials to access secrets from [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/)

## Installation

* Copy the file `build/libs/gocd-aws-based-secrets-plugin-VERSION.jar` to the GoCD server under `${GO_SERVER_DIR}/plugins/external`
and restart the server.
* The `GO_SERVER_DIR` is usually `/var/lib/go-server` on **Linux** and `C:\Program Files\Go Server` on **Windows**.

## Configure the plugin to access secrets from AWS

- Login to your GoCD server.
- Navigate to **Admin** > **Secret Management**.
- Click on **ADD** button.
- Configure the mandatory fields.

| Field | Required | Description |
| --------------- | --------- | --------------------------------------------------------------------|
| Endpoint | true | The AWS service endpoint for the plugin to connect. |
| AccessKey | true | The access key as a part of AWS credentials. |
| SecretAccessKey | true | The secret access key as a part of AWS credentials. |
| Region | true | Region in which AWS secrets manager is hosted. |
| SecretName | true | The name of the secret to be utilized. |
| SecretCacheTTL | false | The secrets cache TTL in milliseconds, defaults to 30 minutes. |

**NOTE:** *The plugin caches secrets for a duration configured using the SecretCacheTTL. Currently GoCD does not provide a
way to invalidate the cache. To invalidate the cache, change the SecretCacheTTL and save the SecretConfig.*

- Configure the `rules` where this secrets can be used.
`<rules>` tag defines where this secretConfig is allowed/denied to be referred. For more details about rules and examples refer the GoCD Secret Management [documentation](https://docs.gocd.org/current/configuration/secrets_management.html#step-3-restrict-usage-of-secrets-manager)

- Save.

## Using secrets
- See [Define Secret Params](https://docs.gocd.org/current/configuration/secrets_management.html#step-4-define-secret-params) for more information
66 changes: 6 additions & 60 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,74 +4,18 @@
This is a GoCD Secrets Plugin which allows users to use [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) as a secret manager for GoCD.

## Table of Contents
* [Configure the plugin](#configure-the-plugin)
* [Building the code base](#building-the-code-base)
* [Install and configure the plugin](/INSTALL.md)
* [Troubleshooting](#troubleshooting)

### Configure the plugin

The plugin needs to be configured with a secret config in order to connect to AWS Secrets Manager. The configuration can be added from the Secrets Management page under Admin > Secret Management.

Alternatively, the configuration can be added directly to the config.xml using the configuration.

```xml
<secretConfigs>
<secretConfig id="aws" pluginId="com.thoughtworks.gocd.secretmanager.aws">
<description>Dummy description</description>
<configuration>
<property>
<key>Endpoint</key>
<value>your-aws-endpoint</value>
</property>
<property>
<key>AccessKey</key>
<value>encrypted-access-key</value>
</property>
<property>
<key>SecretAccessKey</key>
<value>encrypted-secret-access-key</value>
</property>
<property>
<key>Region</key>
<value>aws-region</value>
</property>
<property>
<key>SecretName</key>
<value>secret-name</value>
</property>
</configuration>
<rules>
<allow action="refer" type="environment">env_*</allow>
<deny action="refer" type="pipeline_group">my_group</deny>
<allow action="refer" type="pipeline_group">other_group</allow>
</rules>
</secretConfig>
</secretConfigs>
```

`<rules>` tag defines where this secretConfig is allowed/denied to be referred. For more details about rules and examples refer the GoCD Secret Management [documentation](https://docs.gocd.org/current/configuration/secrets_management.html)

| Field | Required | Description |
| --------------- | --------- | --------------------------------------------------------------------|
| Endpoint | true | The AWS service endpoint for the plugin to connect. |
| AccessKey | true | The access key as a part of AWS credentials. |
| SecretAccessKey | true | The secret access key as a part of AWS credentials. |
| Region | true | Region in which AWS secrets manager is hosted. |
| SecretName | true | The name of the secret to be utilized. |
| SecretCacheTTL | false | The secrets cache TTL in milliseconds, defaults to 30 minutes. |

### Caching
The plugin caches secrets for a duration configured using the SecretCacheTTL. Currently GoCD does not provide a
way to invalidate the cache. To invalidate the cache, change the SecretCacheTTL and save the SecretConfig.

### Building the code base
To build the jar, run `./gradlew clean test assemble`

## Troubleshooting

### Enable Debug Logs
#### Enable Debug Logs

#### If you are on GoCD version 19.6 and above:
##### If you are on GoCD version 19.6 and above:

Edit the file `wrapper-properties.conf` on your GoCD server and add the following options. The location of the `wrapper-properties.conf` can be found in the [installation documentation](https://docs.gocd.org/current/installation/installing_go_server.html) of the GoCD server.

Expand All @@ -80,7 +24,9 @@ Edit the file `wrapper-properties.conf` on your GoCD server and add the followin
wrapper.java.additional.100=-Dplugin.com.thoughtworks.gocd.secretmanager.aws.log.level=debug
```

If you're running with GoCD server 19.6 and above on docker using one of the supported GoCD server images, set the environment variable `GOCD_SERVER_JVM_OPTIONS`:
##### GoCD server 19.6 and above on docker using one of the supported GoCD server images:

set the environment variable `GOCD_SERVER_JVM_OPTIONS`:

```shell
docker run -e "GOCD_SERVER_JVM_OPTIONS=-Dplugin.com.thoughtworks.gocd.secretmanager.aws.log.level=debug" ...
Expand Down

0 comments on commit 90acf6e

Please sign in to comment.