The KeyStore is a secure code repository provided by Cloud Native Build, specifically designed for storing sensitive information such as passwords, API keys, certificates, etc. It ensures the secure storage and compliant use of sensitive data through strict access control, page watermarks, audit trails, and other mechanisms.

Creating a KeyStore

1. Access the Repository Creation Page
   Click here to create a KeyStore (requires login).

2. Select Repository Type
   Choose KeyStore as the repository type, and fill in the repository name and description.

   

   Create KeyStore

3. Create
   Click the create button to create the KeyStore.

Core Features of KeyStore

1. Security Restrictions

Feature	Regular Repository	KeyStore
Git Clone to Local	✅	❌
Local Code Push	✅	❌
Page File Editing	✅	✅
Create Branch/Tag/PR	✅	✅
Referenced by Pipelines	✅	✅

2. Enhanced Security Features

• Dynamic Watermark: Automatically adds a semi-transparent watermark of the current username to the page to prevent screenshot leaks.
• Reference Audit: Records all pipeline logs referencing files in this repository, supporting traceability.
• Enforced Page Operations: Only allows file editing via the web interface, prohibiting local operations.
• Stricter Permission Control: Refer to Permission Guide.

Referencing KeyStore Files in Pipelines

1. Adding Files to KeyStore

# env.yml
DOCKER_USER: "username"
DOCKER_TOKEN: "token"
DOCKER_REGISTRY: "https://xxx/xxx"

Importing as Environment Variables

In the pipeline configuration, reference the KeyStore file via the imports field to automatically inject it as environment variables:

# .cnb.yml
main:
  push:
    - services:
        - docker
      imports:
        # Reference KeyStore file
        - https://cnb.cool/<your-repo-slug>/-/blob/main/xxx/env.yml
      stages:
        - name: docker push
          script: |
            docker login -u ${DOCKER_USER} -p "${DOCKER_TOKEN}" ${CNB_DOCKER_REGISTRY}
            docker build -t ${DOCKER_REGISTRY}/${CNB_REPO_SLUG_LOWERCASE}:latest .
            docker push ${DOCKER_REGISTRY}/${CNB_REPO_SLUG_LOWERCASE}:latest

Reference Rules

Additional fields such as allow_slugs and allow_events can be configured to control access scope. For more information, refer to File Reference.

Best Practices

1. Classify and Store Sensitive Information

   • Split different Secret Repositories by environment (prod/dev) or project.
   • Use yaml, json, or other file formats to manage secrets.
   • Create a new organization outside the business organization to manage Secret Repositories, reducing the scope of members who can access them.

2. Regularly Rotate Secrets
   After updating secrets via the page editing feature, all pipelines referencing this file will automatically retrieve the new values.

3. Audit and Review
   Check audit logs, clean up invalid references, and revoke permissions for departed members.