Secrets

[smashwilson]

The big question with heatlamp-ansible is: what's the correct way to handle secrets? I can see a few alternatives:

1. Put the vault password in the vault and hand it to heatlamp-ansible by environment variable. You'd need root on the box to read it from the container anyway, in which case you could just read all of the vault secrets from wherever they were templated in. On the other hand, if you have secrets in your vault that aren't used on every host, this makes an exploit on any box in your system worse by giving access to all secrets at once.
2. Use tags to skip tasks that need secrets. If you change a secret, you'll need to re-run the playbook by hand for those settings to change. I expect this won't be a viable option in many cases just because most containers will need access to at least one secret, so the set of things that you'll actually be able to continuously deploy will be small.
3. Template in an unencrypted var file with only the relevant secrets in it. A middle ground for option 1. Reasonable, but likely to require some finesse to implement.

[MrMMorris]

here's my opinion: I hate ansible-vault. Maybe the option to not specify any vault pass at all (not set --vault-password-file) and instead allow me to use the amazing citadel plugin 😄 https://github.com/balanced-ops/citadel-ansible

[MrMMorris]

also, how should the github repo key be handled?

and is there a reason why the WORKDIR is being nuked every run? I guess it's not a huge thing but a checkout might save some bandwidth 😁

[MrMMorris]

also, being able to set --extra-vars would be nice

I'll stop now 😅