On 5/17/21 12:39 PM, Andrew Bogott wrote:
"How would I make use of secrets on cloud-vps
I really only have one project right now that has secrets (LibUp). The
mailman project has some secrets but it's a clone of our production
setup so it seems logical (and maybe better?) that it uses secrets via
puppet to mirror what's in prod, though setting them as a cherry-pick of
labs/private on the puppetmaster is kind of a pain.
It's not super clear to me whether this proposed feature would mean you
need to shell out to get secret values, hit a HTTP API, or if it's just
a file on disk. Also can a secret be anything like a SSH private key? Or
is it intended to be a password/token/string-like thing?
- Is it good enough to provide project-wide
distribution, or do we need
finer-grained control, limiting secrets to particular users or instances?
I would prefer if I could pick the instances that get access to the
secret, either by regex, prefix or some manual list.
If that's not possible, I think I'd want to be able to set the Unix
group that could read/obtain the secrets so even though it's accessible
on the instance, there's still some level of access control / privileged
Basically I'd like to have some way to run a process that cannot access
- Is a web UI for managing secrets a requirement, or
are command line
tools adequate? What if there were /only/ a web-ui and no command line?
I find a web UI usually superior to CLI tools, but I'd hope it would be
integrated with Horizon and that I don't need to learn/remember a new
I don't think I'd care if there was no CLI interface.
- Would supporting secret management solve immediate
issues on its own,
or is it only useful as a part of larger instrumentation tooling (e.g.
puppet, heat, or terraform integration)
Having just secret management would be nice but it would probably be low
priority on my Cloud VPS wishlist.