KeyStore
About 390 wordsAbout 1 min
The KeyStore is a secure code repository provided by Cloud Native Build
, specifically designed for storing sensitive information such as passwords, API keys, certificates, etc. It ensures the secure storage and compliant use of sensitive data through strict access control, page watermarks, audit trails, and other mechanisms.
Creating a KeyStore
Access the Repository Creation Page
Click here to create a KeyStore (requires login).Select Repository Type
ChooseKeyStore
as the repository type, and fill in the repository name and description.Create KeyStore Create
Click the create button to create the KeyStore.
Core Features of KeyStore
1. Security Restrictions
Feature | Regular Repository | KeyStore |
---|---|---|
Git Clone to Local | ✅ | ❌ |
Local Code Push | ✅ | ❌ |
Page File Editing | ✅ | ✅ |
Create Branch/Tag/PR | ✅ | ✅ |
Referenced by Pipelines | ✅ | ✅ |
2. Enhanced Security Features
- Dynamic Watermark: Automatically adds a semi-transparent watermark of the current username to the page to prevent screenshot leaks.
- Reference Audit: Records all pipeline logs referencing files in this repository, supporting traceability.
- Enforced Page Operations: Only allows file editing via the web interface, prohibiting local operations.
- Stricter Permission Control: Refer to Permission Guide.
Referencing KeyStore Files in Pipelines
1. Adding Files to KeyStore
# env.yml
DOCKER_USER: "username"
DOCKER_TOKEN: "token"
DOCKER_REGISTRY: "https://xxx/xxx"
Importing as Environment Variables
In the pipeline configuration, reference the KeyStore file via the imports field to automatically inject it as environment variables:
# .cnb.yml
main:
push:
- services:
- docker
imports:
# Reference KeyStore file
- https://cnb.cool/<your-repo-slug>/-/blob/main/xxx/env.yml
stages:
- name: docker push
script: |
docker login -u ${DOCKER_USER} -p "${DOCKER_TOKEN}" ${CNB_DOCKER_REGISTRY}
docker build -t ${DOCKER_REGISTRY}/${CNB_REPO_SLUG_LOWERCASE}:latest .
docker push ${DOCKER_REGISTRY}/${CNB_REPO_SLUG_LOWERCASE}:latest
Reference Rules
Additional fields such as allow_slugs
and allow_events
can be configured to control access scope. For more information, refer to File Reference.
Best Practices
Classify and Store Sensitive Information
- Split different Secret Repositories by environment (prod/dev) or project.
- Use
yaml
,json
, or other file formats to manage secrets. - Create a new organization outside the business organization to manage Secret Repositories, reducing the scope of members who can access them.
Regularly Rotate Secrets
After updating secrets via the page editing feature, all pipelines referencing this file will automatically retrieve the new values.Audit and Review
Check audit logs, clean up invalid references, and revoke permissions for departed members.