2020-12-27 01:18


This adds support for secrets stored in Hashicorp Vault. What is here should be heavily documented in the diff itself, so I'll defer to that rather than writing more here in the PR body. This is all rather much, so please do tear it apart and let me know if anything is confusing, misleading, dangerous, insecure, etc.

Open questions:

  • monitoring of fetcher daemon: The daemon will run as an appcommon::daemon which means we'll get log shipping and QA checks for free. There's not any facility for alerting on sudden failure down the line though.

Future work:

  • HVAC integration. The integration should take the vault_token from this stuff and allow full in-app access to vault's more interesting features (like the transit backend). All with diagnostics instrumentation, of course!
  • Database credentials: The database helpers should get integration with the Vault stuff so that apps can automatically fetch rotating DB credentials.


  • 点赞
  • 回答
  • 收藏
  • 复制链接分享