Testflinger Secrets¶

Sensitive information such as credentials, API keys or any other secrets that are needed while running jobs can be stored securely in Testflinger and made available to agents at runtime. This allows you to avoid hard coding secrets in your job definitions and provides a secure way to manage and access secrets.

Using this feature requires authenticating with the Testflinger server.

For information on the overall secret structure, please refer to the Secrets reference.

For information on how to use secrets in your jobs, please refer to the Use Secrets how-to guide.

Storage and Management¶

Secrets in Testflinger are organized in a hierarchical structure based on paths. Each secret is associated with a unique path, and secrets can be grouped together under common paths for easier management and access control.

Secrets are only available to write and delete by the secret owner (client-id) while read access is exclusively granted to authenticated Testflinger Agents whenever they pick up a job that specifies any secrets.

Security and Encryption¶

Testflinger supports the following Secret Store backends:

MongoDB Client-Side Field Level Encryption¶

Testflinger supports MongoDB Client-Side Field Level Encryption (CSFLE) to securely store secrets in the database. This means that secrets are encrypted before being stored, and can only be decrypted by MongoDB clients that have the appropriate encryption key.

Vault Integration¶

Testflinger can be configured to integrate with HashiCorp Vault for secret management. This allows you to leverage Vault’s features for securely storing and managing secrets, while still making them accessible to Testflinger agents at runtime.

Masking¶

Regardless of the storage backend used, Testflinger ensures that secrets are masked in logs to prevent accidental exposure. When a secret is accessed by an agent during job execution, it will be replaced with a placeholder value (e.g., **<sha256-hash>**) in any logs generated by the agent.

Warning

To avoid unintended masking, use complex, unique secret values. For example if a secret value is password and the logs prints the message "The password is password", both password references will be masked: The **<hash>** is **<hash>**.

Retrieval¶

Only authenticated Testflinger Agents can retrieve secrets. This occurs once the agent gets assigned a job that references secrets in its job definition.

Important

Any secrets that are not accessible at the time of retrieval will be resolved to the empty string, instead of the retrieval failing. It is the responsibility of the consumer of the secrets to account for this possibility. This is a design decision and it mirrors how undefined secrets are handled in other platforms such as GitHub.