hi 💙 as someone who loves coreos this is definitely a problem area if you don't already have some kind of dedicated secrets manager you can grab secrets from. here are the docs from coreos on this topic. i used to keep my secrets on a secure location on my network and then quickly host the ignition file for my coreos install with python simple http server. this way, my secrets were never saved anywhere else. i hope this helps
To avoid any possibility of leaking sensitive information, it’s best to store secrets in a dedicated service such as Hashicorp Vault.
I just wish there was a short example on how to use:
vault + ignition
or vault + systemd
or vault + podman
I just asked ChatGPT and it's solution seems good:
Within the Unit File, in the PreStart condition, retreive the secrets from vault.
[Unit]
Description=Your Service
...
[Service]
ExecStartPre=/usr/local/bin/fetch_vault_secret.sh
Environment="SECRET_KEY=%i" # Replace %i with the actual secret path in Vault
ExecStart=/path/to/your/service
[Install]
...
Where the fetch_vault_secret.sh script looks like this:
#!/bin/bash
export VAULT_ADDR="https://vault.lan:8200"
export VAULT_TOKEN="your-vault-token"
SECRET_KEY="${SECRET_KEY//\//%2F}" # Replace / with %2F in the secret path
secret_value=$(vault kv get -field=value secret/${SECRET_KEY})
export SECRET_VALUE="$secret_value"
I'll play with it some, and post the results back later.
If anyone has a better solution please let me know :)
that's fair! i think it's more because deploying vault is not really a quick task, iirc xD but yeah, i 'd love to hear how other coreos users handle their secrets. more than one way to.... inject your secrets i guess xD