|
|
|
|
|
|
by tetha
3202 days ago
|
|
|
Vault is a pretty good thing. For some time, we used chef attributes and environments, but by now we have migrate most stuff into vault. The migration was easy, because chef-attributes form a big JSON object, so you can translate that into a secret tree in vault in a straightforward way. The worst part about vault is managing access in a secure way and granting access to the right parts imo. We leverage the pki backend (or rather, three dozen pki backends) to map nodes to their respective policies and that required quite a bit of tooling to make work. But now it does, it's secure, and if need comes, it should be easy to revoke secret access for a cluster. |
|
|