AIO Secrets Strategy #461

New issue

Open

opened 2024-12-02 20:37:36 -05:00 by mafyuh · 0 comments

mafyuh commented 2024-12-02 20:37:36 -05:00

Owner

Copy link

Currently secrets are all over the place. I refuse to push even encrypted secrets to Git.

• Forgejo (workflows)
• Bitwarden Secrets Manager
• Docker Hosts in .env
• Kubernetes
• Tofu terraform.tfvars
• Packer credentials file

Want to use Bitwarden Secrets as the main source and have all things pull from here.

OpenTofu

Can use something like bws-cache to lookup by secret name and not ID, similar to this script and calling them like this

Forgejo (workflows)

Already "done" as shown here, but need to improve, have to manually map the ID's to names still

Docker Hosts

Implemented in Docker CD step and having env variables in /docker/secret-mappings.yml

Packer

TBD

Kubernetes

TBD

Currently secrets are all over the place. I refuse to push even encrypted secrets to Git. - Forgejo (workflows) - Bitwarden Secrets Manager - Docker Hosts in `.env` - Kubernetes - Tofu `terraform.tfvars` - Packer credentials file Want to use Bitwarden Secrets as the main source and have all things pull from here. ## OpenTofu Can use something like [bws-cache](https://github.com/rippleFCL/bws-cache) to lookup by secret name and not ID, similar to [this script](https://github.com/chkpwd/iac/blob/main/terraform/bws_lookup.py) and calling them like [this](https://github.com/chkpwd/iac/blob/44af303d8ac2ab862be6b1dbcd023750807cbdd9/terraform/cloudflare/a_records.tf#L6) ## Forgejo (workflows) Already "done" as shown [here](https://git.mafyuh.dev/mafyuh/iac/src/commit/dc694cfb73fe631bdc547116ba524b782384e096/.forgejo/workflows/tofu.yml#L26), but need to improve, have to manually map the ID's to names still ## Docker Hosts Implemented in Docker CD step and having env variables in /docker/secret-mappings.yml ## Packer TBD ## Kubernetes TBD

mafyuh added the

docker

kubernetes

opentofu

labels 2024-12-02 20:37:36 -05:00

mafyuh self-assigned this 2024-12-02 20:37:36 -05:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

renovate/ghcr.io-n8n-io-n8n-1.x

renovate/code.forgejo.org-forgejo-runner-6.x

renovate/ghcr.io-open-webui-open-webui-0.x

renovate/ghcr.io-linuxserver-prowlarr

renovate/ghcr.io-linuxserver-netbootxyz

renovate/ghcr.io-linuxserver-lidarr

renovate/ghcr.io-linuxserver-plex

renovate/ghcr.io-linuxserver-jellyfin

renovate/ghcr.io-linuxserver-doplarr

renovate/ghcr.io-linuxserver-code-server

No results found.

Labels

Clear labels   

ansible

  

bug

Something is not working

  

docker

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

kubernetes

  

opentofu

  

packer

  

question

More information is needed

  

renovate

  

wontfix

This won't be fixed

No labels

ansible

bug

docker

duplicate

enhancement

help wanted

invalid

kubernetes

opentofu

packer

question

renovate

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

mafyuh

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: mafyuh/iac#461

No description provided.