Hi,
On 5/17/21 12:39 PM, Andrew Bogott wrote:
"How would I make use of secrets on cloud-vps instances?"
I really only have one project right now that has secrets (LibUp). The mailman project has some secrets but it's a clone of our production setup so it seems logical (and maybe better?) that it uses secrets via puppet to mirror what's in prod, though setting them as a cherry-pick of labs/private on the puppetmaster is kind of a pain.
It's not super clear to me whether this proposed feature would mean you need to shell out to get secret values, hit a HTTP API, or if it's just a file on disk. Also can a secret be anything like a SSH private key? Or is it intended to be a password/token/string-like thing?
- Is it good enough to provide project-wide distribution, or do we need
finer-grained control, limiting secrets to particular users or instances?
I would prefer if I could pick the instances that get access to the secret, either by regex, prefix or some manual list.
If that's not possible, I think I'd want to be able to set the Unix group that could read/obtain the secrets so even though it's accessible on the instance, there's still some level of access control / privileged separation.
Basically I'd like to have some way to run a process that cannot access the secret.
- Is a web UI for managing secrets a requirement, or are command line
tools adequate? What if there were /only/ a web-ui and no command line?
I find a web UI usually superior to CLI tools, but I'd hope it would be integrated with Horizon and that I don't need to learn/remember a new web thing.
I don't think I'd care if there was no CLI interface.
- Would supporting secret management solve immediate issues on its own,
or is it only useful as a part of larger instrumentation tooling (e.g. puppet, heat, or terraform integration)
Having just secret management would be nice but it would probably be low priority on my Cloud VPS wishlist.
HTH, -- Legoktm