Local machine secrets management

How to keep local files with passwords to Real environments and avoid accidental check-ins with passwords.

For example, imagine we have a config file for a PRE-Prodcution Environment config-pre.yml with a secret which is injected at run time as a system property by the CI/CD pipeline:

credentials:
  # username: password
  usernamepre: "#(karate.properties['system.usernamepre.secret'])"

The steps for local machine secrets management are:

  1. Create file config-<env>-secrets.yml in src/test/resources with the real passwords.

    This file will simply override the values in config-<env>.yml when running locally, substituting the run time injection of the secret performed in the CI/CD pipeline.

    For example:

    • config-pre-secrets.yml

      credentials:
  # username: password
  usernamepre: <REAL_PASSWORD>
defaultApiKey: <REAL_APIKEY>

  2. These files must be ignored by Git by adding them to the project root .gitignore file, if not there already.

    • .gitignore

      ...
# local secrets (env passwords)
config-*-secrets.yml