How do you handle passwords in the build pipeline?


I’ve been dabbling with DSC for a few weeks now and have set up a pull server, made some resources and scripted compiling of ConfigurationData. For passwords I’ve been using certificates from ADCS, which works but I have some challenges.

How do you handle initial registration of nodes and automatically register the certificate with both the node and the pull server?

Ideeally I want to set up a build pipeline with build servers automatically detecting code changes from git. How do you go about encrypting passwords in this scenario? I suppose I could use a single certificate for all the build servers and encrypt an entire script which would be sourced in to the configuration script, but it does not seem like a great solution.

I’ve done this a couple of ways. Originally, we were using a DSC pull server, so the script which would configure the LCM on the target machine was also responsible for generating a new certificate and GUID for the node. I would then export the certificate and GUID and put them into source control for the build server to use. (This wasn’t totally automated yet, but we switched from using a pull server shortly afterward, so I didn’t go any farther with it.)

Now, we use Octopus Deploy tentacles to apply DSC configurations. From DSC’s point of view, we’re now doing a “push” configuration on the local host, and the MOF file is also compiled locally. This is very handy, because now our script can just generate a certificate for DSC if it doesn’t already exist, configure the LCM to use that cert, and then compile the MOF; the cert never needs to make it to source control.

(Incidentally, when the Tentacle runs our powershell script, it sets up a hashtable of variables for the job, including passwords. Those are stored in encrypted form on the Octopus server, and sent to the Tentacle over HTTPS, which covers the security of those passwords from Octopus to the point where the DSC configuration is compiled.)