-
Notifications
You must be signed in to change notification settings - Fork 199
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inject secrets into parameters too #878
Comments
I would like to help with this issue. |
Great! I could use some help thinking about the design of this feature. We aren't quite ready to start coding yet. For some background, in the CNAB spec, there is a distinction between parameters and credentials. Credentials are intended not for sensitive information but for information related to the identity of the person executing the bundle. For example your credentials for aws. Anything else should be a parameter, like the application’s password to connect to mysql. Even though that really should be protected carefully too! 😄 The CNAB spec has the runtime and the tools (like porter) treat credentials and parameters very differently because of this distinction:
With plugins, Porter supports having credential sets resolve their value against a secret store in the cloud (or anywhere really). This is more secure. But how do we do the same thing for parameters: 🤔 We can change how we pass in parameters, it doesn’t have to be a flag, or we can change how the flag works or add a new flag, etc. Essentially we need a way for the user to say, "Here is how to get the value for this parameter from a secret store" i.e. this is the key to use when looking it up. All of the configuration of the secret store is already taken care of from the plugins work, so you don’t need to worry about that. SO! 😅 If you would like to think about the design of that, and what the user experience (UX) would be, that is the real work for this story. |
Let me think about the design. I will un-assign myself so that other people can engage on this issue. |
This functionality is now in place. The ability to declare parameter(s) with |
The secrets plugin lets you inject values from external sources, such as key vault, into a credential. I want to be able to keep my secrets safe in my vault and inject them into parameters as well, since CNAB says boring stuff (non-identity) such as database passwords should be parameters and not credentials. KEEP ALL THE THINGS SAFE PLZ! 🙇♀
The text was updated successfully, but these errors were encountered: