Deployment should be automated. Deployment should be easy. Deployment should be flexible.
I represent a simple deployment strategy which allows to
- avoid storing passwords in version control
- use site-specific deployment configuration
- be understood easily
As an example, I assume a web application written in PHP. The goal is to not store the MySQL access credentials inside the application.
We’ll first make the application flexible enough to read local configuration. Jenkins will serve as an example on how to roll out the actual deployment.
Consider the following application
In order to run this, we’ll need obviously a
conf.inc.php which holds the MySQL credentials.
However, we don’t actually want to store the MySQL password there.
The simple trick is to have yet another config file which can overwrite the default values.
That other file is never going to be put in version control (read: put it in your
But it’ll be lying around.
Note that this approach is not only good to avoid storing sensible information but also for development setups. One can easily use different database servers, credentials, paths and so on during development without ever breaking the master configuration.
All that’s left for us now is an automated deployment. As an example, let’s use Jenkins. Without going into the details, the idea is to create a Jenkins project which
- checks out the repo
- generates the local config file on the fly
- deploys everything to the target machine
You can tell Jenkins to clone the repo into a local subfolder.
Assuming the checkout goes into
./mylocaljenkinsclone, the appropriate Jenkins build script might look like this:
That’s it! A click of a button in Jenkins and the new site is up and running!
The production password is now stored in Jenkins. You got to store it somewhere. The less components can access it, the better. Building the application is the very last step before deployment so that’s actually the only sane location where the password should get introduced.
- Build applications with (“local”) configuration mechanisms.
- Don’t store passwords inside the application (repository).
- Add credentials during deployment.