Secrets Management

    Beluga is not currently deployed with an integrated secrets manager. You can use the var_sources block in your pipeline to load values from your own secrets manager (at the time of writing, Concourse supports only Vault in var_sources). For example:

    var_sources:
    - name: my-vault
      type: vault
      config:
        url: http://myvault.com:8200
        auth_backend: approle
        auth_params:
          role_id: "xxx-xxx-xxx-xxx-xxx"
          secret_id: "xxx-xxx-xxx-xxx-xxx"
    
    resources:
    - name: beluga-repo
      type: git
      source:
        uri: https://github.com/EngineerBetter/beluga.git
        username: some-user
        password: ((my-vault:git-password))
    

    Before setting a pipeline like the above, configure your Vault by following the Concourse Vault documentation. The above example uses an approle auth backend that requires a role_id and secret_id, which can be created by following these steps.

    The secret in the above example can be created with this command:

    vault kv put concourse/<team-name>/git-password value="password123"