Thanks for the quick response :)
I read through the operator notes yesterday.
To avoid any possibility of leaking sensitive information, it’s best to store secrets in a dedicated service such as Hashicorp Vault.
I just wish there was a short example on how to use:
- vault + ignition
- or vault + systemd
- or vault + podman
I just asked ChatGPT and it's solution seems good:
Within the Unit File, in the PreStart condition, retreive the secrets from vault.
[Unit]
Description=Your Service
...
[Service]
ExecStartPre=/usr/local/bin/fetch_vault_secret.sh
Environment="SECRET_KEY=%i" # Replace %i with the actual secret path in Vault
ExecStart=/path/to/your/service
[Install]
...
Where the fetch_vault_secret.sh
script looks like this:
#!/bin/bash
export VAULT_ADDR="https://vault.lan:8200"
export VAULT_TOKEN="your-vault-token"
SECRET_KEY="${SECRET_KEY//\//%2F}" # Replace / with %2F in the secret path
secret_value=$(vault kv get -field=value secret/${SECRET_KEY})
export SECRET_VALUE="$secret_value"
I'll play with it some, and post the results back later.
If anyone has a better solution please let me know :)
I see this was posted 16 hours ago. Mirrors are back online. ( i didn't notice the outage)