Fedora CoreOS secret injection

Hi,

another question regarding the whole CoreOS deployment process. My ultimate goal is to host various podman container on a bare metal machine. For that I need to define some env-files that contain user account details.

Currently I define does in the butane as inline values and deploy the files. I wonder, is there a better way to do that? Especially when it comes to ssh-keys. I already read Producing an Ignition Config :: Fedora Docs and for public keys this should be fine. But what about private keys and general “secret” stuff?

Is there a pre-defined way to do that with butane/ignition?

Ignition has some stub documentation about this, but we should document it better in the Fedora CoreOS docs. The short version is: if possible, put secrets in a properly-configured secret storage platform, and not in the Ignition config. If you must put secrets in the Ignition config, be sure to configure the OS to block unprivileged processes fetching them from userdata afterward.

Thx for the clarification; seems to be overkill for my personal project but good to keep it in mind!