AIO Secrets Strategy #461

Open
opened 2024-12-02 20:37:36 -05:00 by mafyuh · 0 comments
Owner

Currently secrets are all over the place. I refuse to push even encrypted secrets to Git.

  • Forgejo (workflows)
  • Bitwarden Secrets Manager
  • Docker Hosts in .env
  • Kubernetes
  • Tofu terraform.tfvars
  • Packer credentials file

Want to use Bitwarden Secrets as the main source and have all things pull from here.

OpenTofu

Can use something like bws-cache to lookup by secret name and not ID, similar to this script and calling them like this

Forgejo (workflows)

Already "done" as shown here, but need to improve, have to manually map the ID's to names still

Docker Hosts

Going to have to get creative, but probably can utilize bws-cache and export them either to system or to the right .env file, maybe even switch from Docker Compose to using Tofu to deploy the docker containers to utilize Tofu's secret management

Packer

TBD

Kubernetes

TBD

Currently secrets are all over the place. I refuse to push even encrypted secrets to Git. - Forgejo (workflows) - Bitwarden Secrets Manager - Docker Hosts in `.env` - Kubernetes - Tofu `terraform.tfvars` - Packer credentials file Want to use Bitwarden Secrets as the main source and have all things pull from here. ## OpenTofu Can use something like [bws-cache](https://github.com/rippleFCL/bws-cache) to lookup by secret name and not ID, similar to [this script](https://github.com/chkpwd/iac/blob/main/terraform/bws_lookup.py) and calling them like [this](https://github.com/chkpwd/iac/blob/44af303d8ac2ab862be6b1dbcd023750807cbdd9/terraform/cloudflare/a_records.tf#L6) ## Forgejo (workflows) Already "done" as shown [here](https://git.mafyuh.dev/mafyuh/iac/src/commit/dc694cfb73fe631bdc547116ba524b782384e096/.forgejo/workflows/tofu.yml#L26), but need to improve, have to manually map the ID's to names still ## Docker Hosts Going to have to get creative, but probably can utilize [bws-cache](https://github.com/rippleFCL/bws-cache) and export them either to system or to the right .env file, maybe even switch from Docker Compose to using Tofu to deploy the docker containers to utilize Tofu's secret management ## Packer TBD ## Kubernetes TBD
mafyuh added the
docker
kubernetes
opentofu
labels 2024-12-02 20:37:36 -05:00
mafyuh self-assigned this 2024-12-02 20:37:36 -05:00
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: mafyuh/iac#461
No description provided.