Feature request: bootstrap-env
ewjoachim opened this issue · 7 comments
The idea would be:
$ vault bootstrap-env path1/ path2/ some_secret -- some commandWould read all secrets from path1, path2 and some_secret, put them in the environment, and then exec some command.
A --backup /some/location would make it so that a yaml file with those secrets would be written locally at that location. If the vault is not available and the backup file is, then the backup file is used transparently and the command runs (though with a logger.exception).
Use case: start an app that reads settings from the environment (this would be the systemd entrypoint). The exec part is important so that we don't have to manage signals or what, the process is replaced with the real process as soon as possible.
The --backup flag would allow to use this way of starting the app even if your vault instance doesn't have 100% high availability yet (if the app restarts when your vault is down, your app can still run)
does anybody has a better command name than bootstrap-env ? :)
like I said in the PR, we should ask security experts what they think of the --backup option
@yannlachiver @adriensaladin ?
(P.S.: this is a public opensource repo)
This is an interesting functionality but I'm afraid it will be used incorrectly and may cause some issues. @adriensaladin ?
I'll take any remarks, but I'll need convincing as to why this is any different from, say, having ansible use vault to write down credential files at deploy time.
That being said, you may want to continue this discussion privately.
What if we name the flag --insecure-backup ?
After discussion, we won't be needing the insecure-backup so dropping it yay
And env instead of boostrap-env