05/11/2021, 7:47 PM
Had a general question about config/secrets. Is there any intention of supporting hashivault via direct secret lookup as opposed to the transit backend? We're using a combination of the transit (encrypted in the yaml) and a helper method to lookup things that might not necessarily be able to be encrypted in the YAML file (e.g. something from an existing K/V mount) without having to duplicate that secret into the YAML file. The secrets-as-local-configs is great and all, until you realize it just doesn't scale very well when a secret needs to be re-used multiple times across multiple stacks. Obviousliy there are a ton of ways to implement this.. For example, since we're using Python, I have a quick and dirty hvac implementation that does something like this:
def get_kv2_secret(self, mount_point: str, path: str) -> pulumi.Output:
        Retrieve a KV2 secret based on the given path.

        This method actually returns a Pulumi Output future representing a
        secret so that the actual value is obscured until apply time.

        output_secret = pulumi.Output.secret(
                mount_point=mount_point, path=path

        return output_secret
But it would be nice to know what pulumi's roadmap is for supporting placeholder config values which are just references to the "real" K/V path in vault (similar to above^).