feat(vault): Add example secret to mvp vcluster + README
Context
- Minimal example of making a Vault secret accessible in a nomad job (OpenProject task 1036)
- Any security implications are out of scope for this example (followed up in task 1556)
- Depends on vs-example!6 (merged)
- This MR is in draft until vs-example!6 (merged) is merged and the hash is updated here
Impact
- Added manual steps to the README for running the vcluster mvp example with a secret
Test(s)
- Create the vc-shared-services base infrastructure
- Make sure to test this branch with the vs-example branch from vs-example!6 (merged)
❗ - Follow the Readme in this MR to set up port forwarding + secret as needed
- After terraform apply, log in to Nomad and check the logs for the echo job. The example secret should be printed there:
Known issues
- It is a manual step to add a Vault secret
- For production, this example needs to be followed up with a more secure version
- No secrets printing in cleartext
- Ensure HTTPS for vault access
- The secret should be
sensitiveinside Terraform - To be checked if the Vault token or secret are logged or stored somewhere in Terraform
- To be checked if the secret is handled securely besides the above points
- The security issues are followed up in task 1556
Links
- OpenProject task 1036
Edited by Carolina Lindqvist