Single credentials' storage

[antixar]

Current problem state

A current workflow for support of all project secrets is difficult and inconvenient:

• Every developers should add/update 3 different files if a connector secret key is changed
• Not all developers can add GitHub secrets. Sure, there are a set of responsible people whom do it but sometimes we need to troubleshoot of access issues and it is not comfortable to pull them constantly.
• Support of 2 credentials' storages: GitHub Secrets and LostPass

Possible solution

Update of the CI workflow:

• CI script will try to load necessary config files from the LastPass storage primarily. There is a console utility for this. A name of LastPass note must be same with a github secret's name. If these notes are not exists into LastPass, CI will use the old logic(using of GitHub secrets)
• simplify support of credentials' variables:
  • using of connector unique names as variable prefixes. e.g. connector: source-s3 => the variable prefix: SOURCE_S3_. And CI will load all values with necessary prefixes only.
  • keep a name of target file into a secret's name. e.g.:
    • default value: SOURCE_S3_CREDS. This value will be saved to the folder ./source-s3/secrets/config.json
    • custom value: SOURCE_S3_CREDS_custom_config.json. This value will be saved to the folder ./source-s3/secrets/custom_config.json

[haf]

A simpler solution would be to add all secrets into the repository. You can create a public-private key (Curve25519 for example), encrypt all secrets to source code with the public key and decrypt the secret in CI with the private key. https://pynacl.readthedocs.io/en/latest/public/