How to store secret variables in capistrano

2019-08-01 21:43发布

问题:

I am writing a Rails app with automated deployment using Capistrano. In the deploy.rb script I have:

set :deploy_to, '/my/deploy/path/'

And in production.rb I have:

server 'example.com', user: 'secret_user_name', roles: %w{web app db}

Currently the app is private. But assume I wanted an open source app like this. Then I wouldn't want secret_user_name and /my/deploy/path to be stored in the repo. In the Rails project if I encountered an issue like this I would store the secret values in secrets.yml and access them from there. However I don't have access to secrets.yml from Capistrano. So I could manually load the secrets file but I'm sure there is a better way to do this.

So my question is: How can I have an automated deployment process without exposing server information using Capistrano? Is there a recommended way to store secrets like there is in Rails?

回答1:

If your intention is to maintain your own deployment environment (which you keep secret) but open source the code of the application itself, then I would simply move the Capistrano-related files to a separate private repository. Then you can open source the app itself, but keep the Capistrano config private.

There is no need for Capistrano's deploy.rb, etc. to live in the same directory structure or even the same repository as the app that is being deployed. After all, Capistrano deploys based on the :repo_url, which can be anything. It doesn't have to match repo where Capistrano's files are kept.

If you want to give other people (i.e. those that fork/clone the app) the ability to deploy to their own infrastructure, perhaps the easiest solution is to write up a wiki page explaining how they can set up their own Capistrano config. Deployment environments can vary widely and therefore it is probably not something you can do simply with environment variables or encrypted secrets.

In any case make sure you audit and rewrite your Git history if necessary to make sure you won't be leaking any sensitive config when you make the repo public.



回答2:

Environment variables might help you. You can put export SSH_PROD_USER=secret_user_name; in your preferred shell profile. For example if you use bash then it would be ~.bash_profile. Then use it in production.rb like this:

server 'example.com', user: ENV['SSH_PROD_USER'], roles: %w{web app db}

So basically ruby will have all your environment variables



回答3:

Use something like Figaro gem: https://github.com/laserlemon/figaro

and don't push to your repo your application.yml

Or use an encrypted repo with credentials.