
Designing an end-to-end encrypted CI/CD pipeline with Keybase.io - zemanel
https://zemanel.eu/posts/end-to-end-encrypted-ci-cd-pipeline-with-keybase-io/
======
majkinetor
Thanks for this a lot, I was just asking about possibility of corporate secret
management with keybase. First time I hear about encrypted repos but I was
considering using team storage just to keep corporate secretes in a file
system.

Currently I use Gitlab on premise and I put secrets on the repository in a
pass format. GitLab runner has single secret, to access the password store.
This is clearly different then OP's context in which he wants to utilize
everything in cloud.

While this works great and devs can read secrets on any OS, I was considering
alternatives for easier on-boarding and additional features. I looked into all
kind of secret sharing stuff for teams, both commercial and FOSS, but for some
reason I don't "feel it". Vault feels like designed more for machines then
humans. Commercial ones seem prohibitively expensive plus not feeling great
using cloud for secret management (or anything non-trivial for that matter - I
could go with status page maybe). So far Psono looks most promising in FOSS
world.

In this case, one could use 2 job servers - one that is used only for
sensitive things like deployments, and another one for other stuff, in this
case build. This could be 2 Gitlab runners (the ci yaml file itself doesnt
require changes) for example so build happens on Gitlab.com infrastructure and
the deployment happens on the runner tagged something like self-destruct. If
you think about it, is it enough that this is PI in your kitchen ? - if
accessible from outside it can be hacked, so this probably needs to be _deploy
and terminate myself_ scenario to minimize exposure even further - perhaps one
day also in cloud, lets call it _proton-runner_ (it would still require leap
of faith to some measure).

~~~
zemanel
the “Pi” wouldn't need to be (publicly) reachable. It would just need to be
able to connect to Keybase and other private services. For remote management
and talking to private services over internet, i guess SSH, VPN or Zerotier <3
?

Edit: for secrets in Keybase i think repos are better since its not as easy to
mistakenly delete the files ? Plus one has change history. But other people
might know better than me.

~~~
majkinetor
You think PI could use polling to determine when to deploy ?

SSH/VPN all have the same problem - you need to give secret to remote
infrastructure

> for secrets in Keybase i think repos are better since its not as easy to
> mistakenly delete the files ?

Good observation, having historic secrets could also be used as a feature.

~~~
zemanel
to determine when to deploy i mention its possible to listen to team chat
messages for commits, so event based. There might be more efficient solutions,
think i came across somewhere that its possible to listen to other types of
events. need to dig deeper

------
NotPaidToPost
This is trying to solve a problem which root cause is people handing their
source code to a remote 3rd party (here gitlab).

~~~
zemanel
well, erhmm yes :-) so i was exploring if it was possible to do that in the
same way we can give our (encrypted) data to Keybase. Or at least, utilise as
much as cloud services as possible.

------
lostmsu
The job server could run in cloud with remote attestation.

~~~
zimmerfrei
Is there any?

