orange-policeman-5911902/28/2019, 10:56 PM
and some extra config in
. Is that possible? This is related to the use case I described earlier of having arbitrarily many stacks (stack-per-branch). When creating what GitLab calls review apps, we may, for example, generate random credentials to inject as secrets per-stack, but we would also have a bunch of static config stored in a shared file.
bitter-oil-4608102/28/2019, 11:27 PM
orange-policeman-5911902/28/2019, 11:54 PM
bitter-oil-4608103/01/2019, 10:07 PM
Thanks for following up! As a follow-up question, is there a story for asymmetric encryption of secrets?Sorry for the delayed response, @orange-policeman-59119. Are you saying that you asking about a model where you encrypt secrets using some public key and then hand the private key to
so that pulumi is unable to decode the secrets without a key you provide? We do have an issue tracking the ability to plugin in a provider that handles encryption/decryption of secrets. See https://github.com/pulumi/pulumi/issues/1547, which would be our answer here.
orange-policeman-5911903/01/2019, 10:20 PM
with secrets to my Git repo. I'd like an engineer to be able to run `pulumi config set --secret foo bar`without needing the symmetric key. That is, in addition to the symmetric key, it would be nice to be able to set an asymmetric key, where the public key is stored in the config file, and the private key is used by the CI/CD system or unlocked with a symmetric key.
bitter-oil-4608103/01/2019, 10:26 PM
This means that
could be run by any engineer (it just needs to encrypt a value using the public key, which is right in the file) but operations like
pulumi config set --secret
pulumi config get --show-secrets
which require you to actually decrypt the secret would require you to provide the private key somehow (i.e. you could imagine a
argument you'd pass to these commands).
Do I have the right of it there, @orange-policeman-59119?
orange-policeman-5911903/01/2019, 10:26 PM
bitter-oil-4608103/01/2019, 10:31 PM