Circle CI

Integrating CloudTruth with CircleCI to Inject Configuration Variables and Secrets

This documentation covers integrating CloudTruth with CircleCI to inject configuration variables and secrets directly into your CircleCI pipelines using the CloudTruth CLI.

Overview

By integrating CloudTruth with CircleCI, you can securely manage and inject configuration variables, environment-specific settings, and secrets into your CircleCI pipelines. This enables consistent, secure, and flexible configuration management across different environments.

Prerequisites

1. CloudTruth Account: Ensure you have an active CloudTruth account. Visit CloudTruth to sign up.

2. CloudTruth CLI: The CloudTruth CLI should be installed and accessible in your CircleCI pipeline.

3. API Key: Generate a CloudTruth API key to authenticate within CircleCI. This key allows CircleCI to access and inject the variables and secrets from CloudTruth into the pipeline.

Step 1: Set Up CloudTruth API Key in CircleCI

1. Go to your CircleCI project’s settings.

2. In the left-hand sidebar, click Environment Variables.

3. Add a new environment variable:

   • Name: CLOUDTRUTH_API_KEY

   • Value: Your CloudTruth API key (obtained from your CloudTruth account under API settings).

This will allow CircleCI to authenticate with CloudTruth using the CLI during pipeline execution.

Step 2: Modify Your CircleCI Configuration

In your project repository, modify your .circleci/config.yml to install the CloudTruth CLI and use it to fetch configuration data or secrets.

Here’s a sample configuration that demonstrates how to integrate CloudTruth in a CircleCI pipeline:

version: 2.1

executors:
  default-executor:
    docker:
      - image: circleci/python:3.8

jobs:
  build:
    executor: default-executor
    steps:
      - checkout
      - run:
          name: Install CloudTruth CLI
          command: |
            curl -Ls https://github.com/cloudtruth/cloudtruth-cli/releases/latest/download/install.sh | bash
      - run:
          name: Authenticate CloudTruth
          command: |
            export CLOUDTRUTH_API_KEY=${CLOUDTRUTH_API_KEY}
            cloudtruth --api-key ${CLOUDTRUTH_API_KEY} status
      - run:
          name: Fetch CloudTruth Configuration
          command: |
            # Fetching configuration variables and secrets from CloudTruth
            cloudtruth parameters get --project my_project --env production --format env > .env
            source .env
      - run:
          name: Use CloudTruth Variables in Pipeline
          command: |
            # Example usage of CloudTruth configuration variables in the build process
            echo "API_KEY: ${API_KEY}"
            echo "ENVIRONMENT: ${ENVIRONMENT}"
            # Your build commands go here
            ./deploy.sh

workflows:
  version: 2
  build:
    jobs:
      - build

Key Steps Explained:

1. Install CloudTruth CLI: This step installs the latest version of the CloudTruth CLI in the CircleCI build environment.

2. Authenticate CloudTruth: This step authenticates CloudTruth using the API key stored in CircleCI environment variables.

3. Fetch Configuration: The cloudtruth parameters get command retrieves the configuration variables and secrets from CloudTruth. The --format env flag outputs the parameters in a format compatible with environment variables, which can then be sourced into the pipeline.

4. Use Configuration Variables: The variables fetched from CloudTruth can be referenced using standard environment variable syntax in subsequent pipeline steps.

Step 3: Fetch Specific Parameters

Using the flag, you can also specify particular variables and secrets you want to inject into your pipeline. For example:

cloudtruth parameters get --name API_KEY --project my_project --env production

This will retrieve only the API_KEY from the production environment in the my_project project.

Best Practices

• Scope by Project and Environment: Always scope your configuration variables by project and environment to ensure you retrieve the correct data for each deployment stage.

• Use Secrets Management: CloudTruth allows you to manage secrets like API keys, database passwords, and tokens. These can be securely injected into your CircleCI pipelines, minimizing the risk of exposing sensitive information.

• Version Control: CloudTruth provides versioning of configuration parameters, allowing you to easily roll back to previous versions or track changes over time.

Example Use Cases

• Managing API Keys: Store API keys for different services in CloudTruth and inject them into your CircleCI pipelines based on the environment (e.g., staging, production).

• Environment-Specific Configurations: Use CloudTruth to store environment-specific configurations (e.g., database URLs, feature flags) and dynamically fetch them based on the current environment.

With this integration, you can securely and dynamically manage your configuration variables and secrets in CloudTruth while ensuring they are automatically injected into CircleCI pipelines. This streamlines your CI/CD process and reduces the complexity of managing sensitive configuration data.