Hi,
On 5/17/21 12:39 PM, Andrew Bogott wrote:
"How would I make use of secrets on cloud-vps
instances?"
I really only have one project right now that has secrets (LibUp). The
mailman project has some secrets but it's a clone of our production
setup so it seems logical (and maybe better?) that it uses secrets via
puppet to mirror what's in prod, though setting them as a cherry-pick of
labs/private on the puppetmaster is kind of a pain.
It's not super clear to me whether this proposed feature would mean you
need to shell out to get secret values, hit a HTTP API, or if it's just
a file on disk. Also can a secret be anything like a SSH private key? Or
is it intended to be a password/token/string-like thing?
- Is it good enough to provide project-wide
distribution, or do we need
finer-grained control, limiting secrets to particular users or instances?
I would prefer if I could pick the instances that get access to the
secret, either by regex, prefix or some manual list.
If that's not possible, I think I'd want to be able to set the Unix
group that could read/obtain the secrets so even though it's accessible
on the instance, there's still some level of access control / privileged
separation.
Basically I'd like to have some way to run a process that cannot access
the secret.
- Is a web UI for managing secrets a requirement, or
are command line
tools adequate? What if there were /only/ a web-ui and no command line?
I find a web UI usually superior to CLI tools, but I'd hope it would be
integrated with Horizon and that I don't need to learn/remember a new
web thing.
I don't think I'd care if there was no CLI interface.
- Would supporting secret management solve immediate
issues on its own,
or is it only useful as a part of larger instrumentation tooling (e.g.
puppet, heat, or terraform integration)
Having just secret management would be nice but it would probably be low
priority on my Cloud VPS wishlist.
HTH,
-- Legoktm