This guide provides best practices for integrating Kado and Keybase into your CI/CD pipeline, especially when running inside containers.
- Mounting Directories
- Keybase Integration
- Security Considerations
- CI/CD Pipeline Configuration
- Best Practices
- Troubleshooting
To allow Kado to access your configuration files, templates, and other resources, you need to mount the relevant directories from your host system to the container.
docker run -v $(pwd):/workspace ghcr.io/janpreet/kado:latest kado [command]
This command mounts the current directory to /kado-workspace in the container.
yamlCopyversion: '3'
services:
kado:
image: ghcr.io/janpreet/kado:latest
volumes:
- ./:/workspace
command: kado [command]
In your CI/CD pipeline, ensure that your job checks out the repository and mounts it to the container:
name: Deploy Infrastructure
on:
push:
branches: [ main ]
jobs:
deploy:
runs-on: ubuntu-latest
container:
image: your-registry/kado:latest
volumes:
- ${{ github.workspace }}:/kado-workspace
steps:
- uses: actions/checkout@v2
- name: Set up Keybase
run: |
echo "${{ secrets.KEYBASE_PAPERKEY }}" | keybase oneshot
kado keybase link
env:
KEYBASE_PAPERKEY: ${{ secrets.KEYBASE_PAPERKEY }}
- name: Deploy with Kado
run: |
cd /kado-workspace
kado set cluster.yaml
- Generate a paper key for your Keybase account.
- Store the paper key securely in your CI/CD platform's secret management system.
- In your CI/CD job, use the paper key to authenticate Keybase:
job_name:
image: your-registry/kado:latest
script:
- echo $KEYBASE_PAPERKEY | keybase oneshot
- kado keybase link
# Your Kado commands here
Reference Keybase notes in your templates using the {{keybase:note:note_name}}
syntax:
pm_user = {{keybase:note:proxmox_api_key}}
pm_password = {{keybase:note:secret_token}}
- Paper Key Security: Never expose your Keybase paper key in logs or non-secure storage.
- Ephemeral Sessions: Use
keybase oneshot
to create temporary Keybase sessions. - Least Privilege: Use a Keybase account with minimal necessary permissions for CI/CD.
- Secure Note Storage: Store sensitive information in Keybase notes, not in your codebase.
name: Deploy Infrastructure
on:
push:
branches: [ main ]
jobs:
deploy:
runs-on: ubuntu-latest
container: your-registry/kado:latest
steps:
- uses: actions/checkout@v2
- name: Set up Keybase
run: |
echo "${{ secrets.KEYBASE_PAPERKEY }}" | keybase oneshot
kado keybase link
env:
KEYBASE_PAPERKEY: ${{ secrets.KEYBASE_PAPERKEY }}
- name: Deploy with Kado
run: kado set cluster.yaml
-
Configuration Management:
- Use
.kd
files for defining beads. - Keep sensitive data in Keybase notes, referenced in templates.
- Use
-
Testing:
- Implement a test stage in your CI/CD pipeline using
kado -debug
. - Validate templates and configurations before deployment.
- Implement a test stage in your CI/CD pipeline using
-
Logging and Monitoring:
- Enable debug logging in CI/CD for troubleshooting.
- Monitor Keybase activity for any suspicious actions.
-
Secret Rotation:
- Regularly rotate your Keybase paper key.
- Update Keybase notes with new credentials periodically.
-
Error Handling:
- Implement proper error handling in your CI/CD scripts.
- Set up notifications for pipeline failures.
-
Keybase Authentication Issues:
- Ensure the paper key is correctly stored in CI/CD secrets.
- Check Keybase logs for authentication errors.
-
Template Processing Errors:
- Verify that all referenced Keybase notes exist.
- Check for syntax errors in your templates.
-
Container Issues:
- Ensure all required tools are installed and accessible in the container.
- Verify the container has necessary permissions to execute Kado and Keybase.
-
Pipeline Failures:
- Review CI/CD logs for specific error messages.
- Test Kado commands locally to replicate issues.
By following these best practices and guidelines, you can effectively integrate Kado and Keybase into your CI/CD pipeline, ensuring secure and efficient infrastructure management.