Overview
Secret management system is a built-in way to deploy secrets to remote systems, similar to agenix and other similar systems.
Secrets are encrypted using system’s host ssh key (/etc/ssh/ssh_host_ed25519_key), which is not required to build the remote system/add secret to fleet configuration, fleet users are encrypting secrets using received public key instead, they don’t need the root access to receive the public encryption key.
Example
{
fleet.secrets = {
"my-secret" = {
expectedOwners = [ "host1" "host2" ];
regenerateOnOwnerAdded = true;
generator = {mkImpureSecretGenerator}:
mkImpureSecretGenerator {
script = ''
echo "secret content" | gh private -o $out/secret
'';
};
};
}
}Limitations and Future Improvements
-
Pure secret generators are currently disabled
-
Support for other secret management systems (e.g systemd-creds has planned asymmetric encryption support)