I always find deploying secure information the most frustrating thing to learn about provisioning tools. I am not a sysadmin, but a developer, so I just want to deploy my projects. The thing is that I know too much about provisioning to just throw money at Heroku (for example) even though Heroku is a great product and I'd highly recommend it for serious projects, just not for semi-serious projects that don't make you money.
The problem with secrets and security in general for tools like Kubernetes, docker-swarm, etc, etc is that 99% of articles and tutorials don't talk about those aspects, at least not in a production-ready sense. Most tutorials you can find talk about everything from a getting-to-know-xyz sense, not this-is-how-you-deploy-for-real-with-xyz.
I have been using Dokku for a few years without really having to dive into the details. The only problem of course is that it is single node and not for clusters.
>Most tutorials you can find talk about everything from a getting-to-know-xyz sense, not this-is-how-you-deploy-for-real-with-xyz.
This is 99% of development / technical blogs / tutorials on the internet. Most are completely useless if you actually want information you can use in production systems.
The problem is the standard of developer today is so low, most don't even know you can't just copy and paste from Joe Bloggs blog post and viola you have production code...
At some point we'll probably transition to a proper secret vaulting solution, but for now I'm taking advantage of SaltStack's GPG renderer to embed GnuPG-encrypted values into our (Git-versioned) configuration data:
However, I often struggle to correctly format the YAML dictionaries in which I've embedded GPG-encrypted data. It is so tedious---especially when changing an encrypted value---to have to encrypt the secret, paste it into the Pillar SLS file, and carefully re-indent each line. It's especially tedious using Emacs, as a bug in yaml-mode treats the leading "---" in the GPG message start/end markers as signaling the start of a new YAML document, preventing me from highlighting the entire file and running indent-region.
Fortunately, there's an easier way thanks to the Jinja renderer's import_text function. First, save the secret in a file with a name that ends in ".gpg", as Emacs' EasyPG Assistant (EPA) will transparently decrypt such a file on read and re-encrypt it on write. Second, use import_text to load the ".gpg" file into a variable. Third, reference this variable in the appropriate Pillar key like any other Jinja variable, filtering it through yaml_encode. Your Pillar SLS files go from looking like this:
ansible-vault is great for this. Obviously it doesn't help puppet users.
The one thing I like about it is that its bundled with ansible, so you don't have to rely on version-control specific tools (eg. git-crypt) or third-party tools (Hashicorp Vault).
Yes I appreciate Vault has many more features but if you just need to encrypt a handful of secrets and you're already using ansible its a no brainer.
The problem with secrets and security in general for tools like Kubernetes, docker-swarm, etc, etc is that 99% of articles and tutorials don't talk about those aspects, at least not in a production-ready sense. Most tutorials you can find talk about everything from a getting-to-know-xyz sense, not this-is-how-you-deploy-for-real-with-xyz.
I have been using Dokku for a few years without really having to dive into the details. The only problem of course is that it is single node and not for clusters.