Secrets
Motivation
Secrets require cautious management.
We aim to track who can access them, who are utilizing them, and how secret rotations are performed.
However, in practice, we have observed widespread secret dissemination. Secrets are becoming pervasive, appearing in plaintext within source code, configuration management tools like Chef, Puppet, Ansible, and eventually making their way into version control systems such as GitHub, GitLab, or Bitbucket. Ultimately, they are dispersed throughout our infrastructure, accessible to anyone with login credentials.
Terminus OS categorizes secrets based on usage scenarios and employs various management techniques.
| Data Type | Storage Location | Leak Risk | Usage | |
|---|---|---|---|---|
| Vault Item | Includes website and database passwords, blockchain private keys, etc. | Vault | Encrypted data in Terminus ensures that third parties cannot view even upon logging in | Each use requires a signature from TermiPass |
| Credentials | System access credentials obtained post-secure authentication: Tokens, Cookies, etc. | Infisical | Viewable by third parties post-authentication in Terminus by following specific steps | Available to applications through an API after obtaining Provider permissions |
| Secret | Sensitive data used in Pod containers, like database connections and admin accounts | ETCD | Directly visible in ControlHub | Used in Helm deployment templates; secret values are injected into environment variables via valueFrom -> secretKeyRef |
Integration Credential
Users can grant applications within Terminus OS access to credentials by logging into third-party service accounts, within Settings. For instance:
Logging into Terminus Space allows the Backup program to request tokens for automated backend backups.
Logging into Google enables the File program to synchronize with Google Drive data.
Applications in Terminus OS can acquire third-party service credentials integrated in Settings via Service Provider.
Application Credential
- Applications can manage and utilize Credential through Terminus OS-provided interfaces.
- Credentials generated by an application are exclusively for its own use.