Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port secrets management to "op inject" #368

Closed
licquia opened this issue Sep 6, 2024 · 1 comment
Closed

Port secrets management to "op inject" #368

licquia opened this issue Sep 6, 2024 · 1 comment
Labels
released

Comments

@licquia
Copy link
Contributor

licquia commented Sep 6, 2024

In a recent discussion, we decided to move usage of op read in our secrets template generation to use op inject instead. This speeds up the secret resolution step by 3x in our initial tests, and keeps the unencrypted secrets out of the environment entirely.

As an additional step, we should use envsubst to substitute the deployment environment (sandbox, staging, prod) into the templates, so that we can reuse the templates for all enviroments while separating out the actual secrets. Something like this:

ENVIRONMENT=sandbox envsubst < secret-template-file | op inject | kubeseal ...

with the template looking something like this:

stringData:
  MY_SUPER_SECRET_THING: {{ op://vault/my_$ENVIRONMENT_super_secret_thing }}
github-actions bot pushed a commit that referenced this issue Sep 21, 2024
@semantic-release-bot
chore(release): 1.15.0 [skip ci]
24b4600 
## [1.15.0](v1.14.0...v1.15.0) (2024-09-21)

### Features

* added local registry support and improved setup (close [#353](#353)) ([32de8c7](32de8c7))
* Gfranxman/313 prefer dotlocalbin as install location ([#342](#342)) ([dbb3556](dbb3556))
* implement s3 storage for static and media files on production ([#339](#339)) ([76afd23](76afd23))
* implement scaf challenge for session recording ([#379](#379)) ([0c091af](0c091af))
* **install.sh:** force re-download of Scaf on each install ([#338](#338)) ([f7ef3e3](f7ef3e3))
* op inject secrets (close [#368](#368)) ([58090b5](58090b5))
* reorder environment variables in k8s django config ([#350](#350)) ([f2cb234](f2cb234))
* script to test cookiecutter part of Scaf ([952e276](952e276))

### Bug Fixes

* Fixes frontend tests ([#363](#363)) ([4a2a5b2](4a2a5b2))
* mailhog port config (closes [#249](#249)) ([cea1602](cea1602))
* Specify the full container path, including the host. ([#309](#309)) ([2fa7276](2fa7276)), closes [#308](#308)
* Update logo ([#373](#373)) ([afe2d84](afe2d84))
* use GitHub token for semantic release workflow ([b5eef60](b5eef60))

### Documentation

* add disk space warning to README ([#385](#385)) ([4262b2d](4262b2d))
* update related to optional GraphQL ([#366](#366)) ([92bfc8d](92bfc8d)), closes [#290](#290)
@github-actions GitHub Actions
Copy link

🎉 This issue has been resolved in version 1.15.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@licquia