• 1 Post
  • 5 Comments
Joined 2 years ago
cake
Cake day: June 13th, 2023

help-circle


  • Thanks for the quick response :)

    I read through the operator notes yesterday.

    To avoid any possibility of leaking sensitive information, it’s best to store secrets in a dedicated service such as Hashicorp Vault.

    I just wish there was a short example on how to use:

    • vault + ignition
    • or vault + systemd
    • or vault + podman

    I just asked ChatGPT and it’s solution seems good:

    Within the Unit File, in the PreStart condition, retreive the secrets from vault.

    [Unit]
    Description=Your Service
    ...
    
    [Service]
    ExecStartPre=/usr/local/bin/fetch_vault_secret.sh
    Environment="SECRET_KEY=%i"  # Replace %i with the actual secret path in Vault
    
    ExecStart=/path/to/your/service
    
    [Install]
    ...
    

    Where the fetch_vault_secret.sh script looks like this:

    #!/bin/bash
    export VAULT_ADDR="https://vault.lan:8200"
    export VAULT_TOKEN="your-vault-token"
    
    SECRET_KEY="${SECRET_KEY//\//%2F}"  # Replace / with %2F in the secret path
    
    secret_value=$(vault kv get -field=value secret/${SECRET_KEY})
    export SECRET_VALUE="$secret_value"
    

    I’ll play with it some, and post the results back later.

    If anyone has a better solution please let me know :)



  • Tree6024tosh.itjust.works Main CommunityGrowing Pains?
    link
    fedilink
    English
    arrow-up
    7
    ·
    2 years ago

    I know this is an older post but I’ll comment anyway.

    I haven’t been getting any errors, but sometimes when I browse, I’d be scrolling through the comments of a post, and suddenly the post would change.

    I didn’t dig into it much, but if it starts happening more often, I’ll record my network traffic (for the browser) and attach the .har file.