Community of DevSecOps Talks podcast https://devsecops.fm
Henrik René Høegh
Import and export of data. Recursively. So yaml or JSON becomes the format that defines your vault data, also as an backup. We will add the possibility to encrypt the output later on, but you can just pipe it to PGP or alike. Also you can export a section of your data, and import that to another vault. Or to the same vault in a different place.
could be an interesting option for back up. Though then you have your secrets in a couple of places and have more stuff to protect
Henrik René Høegh
A running vault instance shouldn't be your single point of throuth. At least have a backup or better encrypted files from which you can recreate it from.
Really funny that my colleague has done something similar at his company, and I implemented something for fun over summer but never intended it to be production ready. I’d be interested in trying when the situation arises.
One immediate use case I can see: when creating the infra where Vault will run (so you don’t have vault yet) it would be cool to spin up a temp vault instance that can be bootstrapped in this way, but used with packer/terraform/etc more as an API than long term secrets storage
You can do DR cluster if you got Vault Enterprise or point in time recovery if using DynamoDB as a backend...
So such script would be useful for people runnung on prem
but usually people wiht infra on prem has money to spend and they might already have Vault Enterprise
but if they don’t then it might be legit case for them
Cool i have a tool that convert values.yaml from helm to a json and then upload it to vault as a init state :-)
Everyone has the same problem and solve it..
And all the solutions are quite different 😅welcome to “DevOps” 😆
how often would you recreate vault secrets?
Its check if there are any secrets and if not its add them as a base. Then super simple for devs to edit a secret ...
If they are to add s new its hars to get it correct ...