Tools are everything not directly related to managing secrets, and help to use them while avoiding them to touch disk.
This can be achieved by putting the following capabilities together:
- Context Creation
- A context is just a bunch of properties in a structure.
- Used to instantiate and customize templates.
- Parts of it may be secret.
- It can live in multiple places, such as files and in-memory as it is produced in real-time by programs. The latter can be 'sheesy' decrypting a file on the fly.
- Template Substitution
- Using a templating engine and a set of templates, the data can be placed in any kind of file to be consumed by other tools.
- It's also useful to maintain a library of templates which are controlled by contexts, which change depending on the one use-case.
As an abstract example, this is how the build-pipeline for kubernetes could look like:
stage=production
merge \
<(show-secret $stage/infrastructure.yml) \
etc/team.json \
etc/stages/$stage.yml \
| substitute \
--separator $'---\n' \
etc/template/k8s-shared-infrastructure.yml \
etc/template/k8s-$stage-infrastructure.yml \
| kubectl --kubeconfig <(show-secret $stage/kube.config) apply -f -
Read on to learn more about the individual tools to merge, substitute and extract.