helpful pointers for secrets/configs

2022-02-04 10:48:43 +01:00 · 2022-02-04 10:48:43 +01:00 · 50a9bc5e5e
parent 8bd0c77a5f
commit 50a9bc5e5e
1 changed files with 7 additions and 1 deletions
--- a/docs/maintainers/handbook.md
+++ b/docs/maintainers/handbook.md
@ -66,6 +66,8 @@ configs:
    template_driver: golang
 ```

+Because configurations are maintained in-repository by maintainers, we version them ourselves. This means that configs changes are seamless to operators unless they cause breaking changes which should be signalled in the new version and release notes. This is in distinction to secrets, which are managed by the operators. For example, operators may need to rotate secrets on a running deployment and should be able to do so at any time. We put the versions in the [`abra.sh`](/maintainers/handbook/#abrash) file.
+
 ```bash
 # abra.sh
 export NGINX_CONFIG_VERSION=v1
@ -119,6 +121,8 @@ secrets:
    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
 ```

+Operators manage the secret versions themselves. So we provide a version hook in the environment variables which they control. This allows operators to deal with things like secret rotation without having to rely on recipe maintainers.
+
 ```bash
 # .env.sample
 SECRET_DB_PASSWORD_VERSION=v1
@ -134,7 +138,9 @@ configs:
    template_driver: golang
 ```

-Don't forget the `template_driver: golang`, it won't work otherwise. Then you can use the following syntax to access the secret:
+Don't forget the `template_driver: golang`, it won't work otherwise.
+
+Then you can use the following syntax to access the secret:

 ```go
 # someconfig.conf