currently we do this https://git.corp.adobe.com/ethos-infrastructure/ethos-cluster-configs/blob/master/ethos02-prod-or1/ethos-monitoring-config.json#L119
if a password is changed in vault then the configs have to be regenerated and make monitoring run again (which right now means deleting packages). ugly, dirty, annoying.
if butler just parsed this {{vault.secret/ethos/deploy/framework-auth/prod/ethos02-prod-or1:dcos-ethos-services}} and did the substitution for a password from vault directly then changing a password in vault would change the password in production. beautiful, clean, convenient.
the only problem with this is that butler would need to be able to login to vault without a human, not sure if that interferes with the security theatre. at present we end up putting lots of secrets from vault into the butler package json, this change would allow all those to be removed, in exchange for butler having creds for vault, which it doesnt need to display or write out anywhere, it can keep them private and secure.
the change would seem to both increase security and flexibility
the key is thinking of a clever way for butler to get its vault creds, since obviously building them into the package is not an option, it needs to get creds somehow when it runs, maybe from the disk placed there during cluster build along with all the others in ethos-security?
currently we do this https://git.corp.adobe.com/ethos-infrastructure/ethos-cluster-configs/blob/master/ethos02-prod-or1/ethos-monitoring-config.json#L119
if a password is changed in vault then the configs have to be regenerated and make monitoring run again (which right now means deleting packages). ugly, dirty, annoying.
if butler just parsed this {{vault.secret/ethos/deploy/framework-auth/prod/ethos02-prod-or1:dcos-ethos-services}} and did the substitution for a password from vault directly then changing a password in vault would change the password in production. beautiful, clean, convenient.
the only problem with this is that butler would need to be able to login to vault without a human, not sure if that interferes with the security theatre. at present we end up putting lots of secrets from vault into the butler package json, this change would allow all those to be removed, in exchange for butler having creds for vault, which it doesnt need to display or write out anywhere, it can keep them private and secure.
the change would seem to both increase security and flexibility
the key is thinking of a clever way for butler to get its vault creds, since obviously building them into the package is not an option, it needs to get creds somehow when it runs, maybe from the disk placed there during cluster build along with all the others in ethos-security?