Since the main method of deploying applications on CoreOS is to use containers, those containers often require environment variables to access things like databases. Those can be included as part of the Ignition file (using something like a Terraform template file) but will end up as a file in plain text on the system so anyone with sudo will be able to read the value. While you should trust the users your provide with sudo access, is there a recommended approach for managing secrets on CoreOS systems (specifically for systemd units?)
1 Like
Sorry for the late reply.
I don’t think there are any method on Linux distributions to hide secrets from root users while providing them to applications. If you want dynamic secrets, you might want to take a look at Vault: https://www.vaultproject.io/
2 Likes
So looking at the specs for Ignition there doesn’t appear to be anyway to pass secrets to it. I usually hate when I ask for help and the response is to just use a whole other tool, but I’m gonna recommend using Ansible to deploy your application after CoreOS is up and running. They’ve added a lot to support Podman and I’ve written several playbooks for deploying containers to Podman. Ansible allows you to keep secrets in a separate variables file, can pull from a Vault like @siosm mentioned above, or if your building a pipeline the CI/CD tool can store those secrets and pass them to Ansible during execution.
2 Likes