helpful pointers for secrets/configs
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/push Build is passing
Details
This commit is contained in:
parent
8bd0c77a5f
commit
50a9bc5e5e
|
@ -66,6 +66,8 @@ configs:
|
|||
template_driver: golang
|
||||
```
|
||||
|
||||
Because configurations are maintained in-repository by maintainers, we version them ourselves. This means that configs changes are seamless to operators unless they cause breaking changes which should be signalled in the new version and release notes. This is in distinction to secrets, which are managed by the operators. For example, operators may need to rotate secrets on a running deployment and should be able to do so at any time. We put the versions in the [`abra.sh`](/maintainers/handbook/#abrash) file.
|
||||
|
||||
```bash
|
||||
# abra.sh
|
||||
export NGINX_CONFIG_VERSION=v1
|
||||
|
@ -119,6 +121,8 @@ secrets:
|
|||
name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
|
||||
```
|
||||
|
||||
Operators manage the secret versions themselves. So we provide a version hook in the environment variables which they control. This allows operators to deal with things like secret rotation without having to rely on recipe maintainers.
|
||||
|
||||
```bash
|
||||
# .env.sample
|
||||
SECRET_DB_PASSWORD_VERSION=v1
|
||||
|
@ -134,7 +138,9 @@ configs:
|
|||
template_driver: golang
|
||||
```
|
||||
|
||||
Don't forget the `template_driver: golang`, it won't work otherwise. Then you can use the following syntax to access the secret:
|
||||
Don't forget the `template_driver: golang`, it won't work otherwise.
|
||||
|
||||
Then you can use the following syntax to access the secret:
|
||||
|
||||
```go
|
||||
# someconfig.conf
|
||||
|
|
Loading…
Reference in New Issue