Merge pull request #90421 from zr-msft/ds-k8s-secret-build

Jak-MS · web-flow · commit 5b226f5d0a3b · 2019-12-03T15:48:49.000-06:00
[Dev Spaces] added section for doing build time secrets
diff --git a/articles/dev-spaces/how-to/manage-secrets.md b/articles/dev-spaces/how-to/manage-secrets.md
@@ -1,7 +1,7 @@
 ---
 title: "How to manage secrets when working with an Azure Dev Space"
 services: azure-dev-spaces
-ms.date: "05/11/2018"
+ms.date: "12/03/2019"
 ms.topic: "conceptual"
 description: "Rapid Kubernetes development with containers and microservices on Azure"
 keywords: "Docker, Kubernetes, Azure, AKS, Azure Container Service, containers"
@@ -10,7 +10,7 @@ keywords: "Docker, Kubernetes, Azure, AKS, Azure Container Service, containers"
 
 Your services might require certain passwords, connection strings, and other secrets, such as for databases or other secure Azure services. By setting the values of these secrets in configuration files, you can make them available in your code as environment variables.  These must be handled with care to avoid compromising the security of the secrets.
 
-Azure Dev Spaces provides two recommended, streamlined options for storing secrets in Helm charts generated by the Azure Dev Spaces client tooling: in the values.dev.yaml file, and inline directly in azds.yaml. It's not recommended to store secrets in values.yaml. Outside of the two approaches for Helm charts generated by the client tooling defined in this article, if you create your own Helm chart, you can use the Helm chart directly to manage and store secrets.
+Azure Dev Spaces provides two recommended, streamlined options for storing secrets in Helm charts generated by the Azure Dev Spaces client tooling: in the `values.dev.yaml` file, and inline directly in `azds.yaml`. It's not recommended to store secrets in `values.yaml`. Outside of the two approaches for Helm charts generated by the client tooling defined in this article, if you create your own Helm chart, you can use the Helm chart directly to manage and store secrets.
 
 ## Method 1: values.dev.yaml
 1. Open VS Code with your project that is enabled for Azure Dev Spaces.
@@ -56,7 +56,7 @@ Azure Dev Spaces provides two recommended, streamlined options for storing secre
 7. Make sure that you add _values.dev.yaml_ to the _.gitignore_ file to avoid committing secrets in source control.
  
  
-## Method 2: Inline directly in azds.yaml
+## Method 2: azds.yaml
 1.	In _azds.yaml_, set secrets under the yaml section configurations/develop/install. Although you can enter secret values directly there, it's not recommended because _azds.yaml_ is checked into source control. Instead, add placeholders using the "$PLACEHOLDER" syntax.
 
     ```yaml
@@ -99,6 +99,44 @@ Azure Dev Spaces provides two recommended, streamlined options for storing secre
     kubectl get secret --namespace default -o yaml
     ```
 
+## Passing secrets as build arguments
+
+The previous sections showed how to pass secrets to use at container run time. You can also pass a secret at container build time, such as a password for a private NuGet, using `azds.yaml`.
+
+In `azds.yaml`, set the build time secrets in *configurations.develop.build.args* using the `<variable name>: ${secret.<secret name>.<secret key>}` syntax. For example:
+
+```yaml
+configurations:
+  develop:
+    build:
+      dockerfile: Dockerfile.develop
+      useGitIgnore: true
+      args:
+        BUILD_CONFIGURATION: ${BUILD_CONFIGURATION:-Debug}
+        MYTOKEN: ${secret.mynugetsecret.pattoken}
+```
+
+In the above example, *mynugetsecret* is an existing secret and *pattoken* is an existing key.
+
+>[!NOTE]
+> Secret names and keys may contain the `.` character. Use `\` to escape `.` when passing secrets as build arguments. For example, to pass a secret named *foo.bar* with the key of *token*: `MYTOKEN: ${secret.foo\.bar.token}`. In addition, secrets can be evaluated with prefix and postfix text. For example, `MYURL: eus-${secret.foo\.bar.token}-version1`. Also, secrets available in parent and grandparent spaces can be passed as build arguments.
+
+In your Dockerfile, use the *ARG* directive to consume the secret, then use that same variable later in the Dockerfile. For example:
+
+```dockerfile
+...
+ARG MYTOKEN
+...
+ARG NUGET_EXTERNAL_FEED_ENDPOINTS="{'endpointCredentials': [{'endpoint':'PRIVATE_NUGET_ENDPOINT', 'password':'${MYTOKEN}'}]}"
+...
+```
+
+Update the services running in your cluster with these changes. On the command line, run the command:
+
+```
+azds up
+```
+
 ## Next steps
 
 With these methods, you can now securely connect to a database, an Azure Cache for Redis, or access secure Azure services.
