Tools are everything not directly related to managing secrets, and help to use them while avoiding them to touch disk.

This can be achieved by putting the following capabilities together:

  1. Context Creation
    • A context is just a bunch of properties in a structure.
    • Used to instantiate and customize templates.
    • Parts of it may be secret.
    • It can live in multiple places, such as files and in-memory as it is produced in real-time by programs. The latter can be 'sheesy' decrypting a file on the fly.
  2. Template Substitution
    • Using a templating engine and a set of templates, the data can be placed in any kind of file to be consumed by other tools.
    • It's also useful to maintain a library of templates which are controlled by contexts, which change depending on the one use-case.

As an abstract example, this is how the build-pipeline for kubernetes could look like:

stage=production
merge \
    <(show-secret $stage/infrastructure.yml) \
    etc/team.json \
    etc/stages/$stage.yml \
| substitute \
    --separator $'---\n' \
    etc/template/k8s-shared-infrastructure.yml \
    etc/template/k8s-$stage-infrastructure.yml \
| kubectl --kubeconfig <(show-secret $stage/kube.config) apply -f -

Read on to learn more about the individual tools to merge, substitute and extract.