developer-hub
developer-hub copied to clipboard
harness
[DBOPS-1196]: Document runtime credential support feature
Thanks for contributing to the Harness Developer Hub! Our code owners will review your submission.
Description
- Please describe your changes: This guide explains how secrets (like registry credentials, clone script secrets, and database passwords) are managed securely at runtime in DBOps pipelines within Harness.
- Jira/GitHub Issue numbers (if any): DBOPS-1196
PR lifecycle
We aim to merge PRs within one week or less, but delays happen sometimes.
If your PR is open longer than two weeks without any human activity, please tag a code owner in a comment.
PRs must meet these requirements to be merged:
- [x] Successful preview build.
- [ ] Code owner review.
- [x] No merge conflicts.
- [x] Release notes/new features docs: Feature/version released to at least one prod environment.
Please check the Execution Link of the Pipeline for the Website Draft URL. This is located in the Preview Step behind the Harness VPN and also is available in #hdh_alerts. E.g Website Draft URL: https://unique-id--harness-developer.netlify.app. Current Draft URL is: https://681dba6fee86c865d40f96e5--harness-developer.netlify.app
Resolved the following conversation from #10289 : -
-
can we add sshot for this how to disable the setting to turn this feature on
-
@stephenatwell @Sonichigo just confirming our default secrets capability itself is secure, i think we should modify this page to say that if your container pods are accessible to support/dev team thus comprising your secrets based on your cluster privileges then this feature adds further security due to runtime? thoughts? Else it would be enabled by all customers thinking our default logic is not secure
To resolve 1st, added the steps to disable - provide step group registry credentials to execution container to false.
To resolve 2nd have added below:
In Harness DBOps pipelines, secrets like container registry credentials, database passwords, and script tokens are needed to run your workflows. By default, these secrets are stored as Kubernetes Secrets and attached to the pods when they run. However, For organizations with stricter compliance requirements or a desire to minimize secrets exposure, this feature lets you pass secrets directly to containers only when they’re needed—without saving them in pod specs, Kubernetes manifests, or keeping them after the step finishes.
Please check the Execution Link of the Pipeline for the Website Draft URL. This is located in the Preview Step behind the Harness VPN and also is available in #hdh_alerts. E.g Website Draft URL: https://unique-id--harness-developer.netlify.app. Current Draft URL is: https://6825d755c0e25eb9dace2ac6--harness-developer.netlify.app
Please check the Execution Link of the Pipeline for the Website Draft URL. This is located in the Preview Step behind the Harness VPN and also is available in #hdh_alerts. E.g Website Draft URL: https://unique-id--harness-developer.netlify.app. Current Draft URL is: https://682c639a8314ad35b8308853--harness-developer.netlify.app
Please check the Execution Link of the Pipeline for the Website Draft URL. This is located in the Preview Step behind the Harness VPN and also is available in #hdh_alerts. E.g Website Draft URL: https://unique-id--harness-developer.netlify.app. Current Draft URL is: https://682f72c3db5be934523a08e5--harness-developer.netlify.app
Please check the Execution Link of the Pipeline for the Website Draft URL. This is located in the Preview Step behind the Harness VPN and also is available in #hdh_alerts. E.g Website Draft URL: https://unique-id--harness-developer.netlify.app. Current Draft URL is: https://682f73f70742c940730fea59--harness-developer.netlify.app