I am using Gitlab CI/CD to deploy my application into Openshift. The application is PHP based and has a database connection in the background.
I don’t want to openly write the sensitive data like password in my PHP file.
Is there any way to store the password as a CI variable and use it outside the pipeline?
Or can I access CI variables outside the pipeline and if so how?
Hi @Citfoobar
Many frameworks have a special file for holding these sorts of environment variables and secrets, e.g. Laravel has .env. In this case, you would write your (usually masked) CI variable into the .env file in one of your pipeline jobs. For example:
stages:
- prepare
...
prepare:
stage: prepare
script:
's|MAIL_HOST=.*|MAIL_HOST='$MAIL_HOST'|' .env
artifacts:
paths:
- .env
expire_in: 2 weeks
Yes, like @snim2 suggested, store the variables in your Project’s CI/CD Variables (Settings → CI/CD → Variables), mask them, protect them if required and then use sed or simply echo them to .env file or similar.
If you are using some other secrets manager in your company you can also fetch them from there instead of saving in GitLab CI/CD Variables.