Yeee but you get the secret as a secret then in the pod mounted as a file. And want them as env
Andrey Devyatkin
@Andrey9kin
Understood
Mattias Hemmingsson
@mattiashem
Doing 12 faktor and the nice part it's lock the secret to the precess so if you exec into the pod and do a env you only se the path to the secret
Well the pod has access to pull it so you can curl and get the secret from the pod 😂
Andrey Devyatkin
@Andrey9kin
Do not want to break it for you but /proc/$pid/environ ….
In linux everything is a file
though you need a root or sudo to read that one
not sure if the same user can read one of its processes environ
Mattias Hemmingsson
@mattiashem
Yeee it's not a protection. :-)
Andrey Devyatkin
@Andrey9kin
Number 20 is out
Jacob Lärfors
@jlarfors
Hey guys, sadly I have to decline today's session... I have a lot of work (build up before xmas) and so I have to prioritise myself a little bit :) Hope it's not a problem, I'd love to join another time and have a great one!
Andrey Devyatkin
@Andrey9kin
no worries
Life happens
Julien Bisconti
@veggiemonk
The ikea deliveries is coming in 10 min, I'll will be late
Hi. Me and Jonas (a colleague) are creating an open source tool on GitHub. Mostly to try and set s proper project up, and because a customer of ours need it. Its done in our free time, and we would love some feedback. It's still work in progress, but the major functionality is more or less in place.
so the problem that you are trying to solve initial population of Vault with secrets?
just trying to understand what is it for
Henrik René Høegh
@HenrikHoegh_twitter
Import and export of data. Recursively. So yaml or JSON becomes the format that defines your vault data, also as an backup. We will add the possibility to encrypt the output later on, but you can just pipe it to PGP or alike. Also you can export a section of your data, and import that to another vault. Or to the same vault in a different place.
Andrey Devyatkin
@Andrey9kin
could be an interesting option for back up. Though then you have your secrets in a couple of places and have more stuff to protect
Henrik René Høegh
@HenrikHoegh_twitter
A running vault instance shouldn't be your single point of throuth. At least have a backup or better encrypted files from which you can recreate it from.
Jacob Lärfors
@jlarfors
Really funny that my colleague has done something similar at his company, and I implemented something for fun over summer but never intended it to be production ready. I’d be interested in trying when the situation arises.
One immediate use case I can see: when creating the infra where Vault will run (so you don’t have vault yet) it would be cool to spin up a temp vault instance that can be bootstrapped in this way, but used with packer/terraform/etc more as an API than long term secrets storage
Andrey Devyatkin
@Andrey9kin
You can do DR cluster if you got Vault Enterprise or point in time recovery if using DynamoDB as a backend...
So such script would be useful for people runnung on prem
but usually people wiht infra on prem has money to spend and they might already have Vault Enterprise
but if they don’t then it might be legit case for them
Mattias Hemmingsson
@mattiashem
Cool i have a tool that convert values.yaml from helm to a json and then upload it to vault as a init state :-)
Everyone has the same problem and solve it..
Jacob Lärfors
@jlarfors
And all the solutions are quite different 😅welcome to “DevOps” 😆
Andrey Devyatkin
@Andrey9kin
how often would you recreate vault secrets?
Mattias Hemmingsson
@mattiashem
Its check if there are any secrets and if not its add them as a base. Then super simple for devs to edit a secret ...
If they are to add s new its hars to get it correct ...