From 50a9bc5e5ebc4caad42ca1d8958d2aff00f86712 Mon Sep 17 00:00:00 2001 From: decentral1se Date: Fri, 4 Feb 2022 10:48:43 +0100 Subject: [PATCH] helpful pointers for secrets/configs --- docs/maintainers/handbook.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/maintainers/handbook.md b/docs/maintainers/handbook.md index e34c6dd0..c3482c94 100644 --- a/docs/maintainers/handbook.md +++ b/docs/maintainers/handbook.md @@ -66,6 +66,8 @@ configs: template_driver: golang ``` +Because configurations are maintained in-repository by maintainers, we version them ourselves. This means that configs changes are seamless to operators unless they cause breaking changes which should be signalled in the new version and release notes. This is in distinction to secrets, which are managed by the operators. For example, operators may need to rotate secrets on a running deployment and should be able to do so at any time. We put the versions in the [`abra.sh`](/maintainers/handbook/#abrash) file. + ```bash # abra.sh export NGINX_CONFIG_VERSION=v1 @@ -119,6 +121,8 @@ secrets: name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION} ``` +Operators manage the secret versions themselves. So we provide a version hook in the environment variables which they control. This allows operators to deal with things like secret rotation without having to rely on recipe maintainers. + ```bash # .env.sample SECRET_DB_PASSWORD_VERSION=v1 @@ -134,7 +138,9 @@ configs: template_driver: golang ``` -Don't forget the `template_driver: golang`, it won't work otherwise. Then you can use the following syntax to access the secret: +Don't forget the `template_driver: golang`, it won't work otherwise. + +Then you can use the following syntax to access the secret: ```go # someconfig.conf