Managing secrets with CoreOS

Since the main method of deploying applications on CoreOS is to use containers, those containers often require environment variables to access things like databases. Those can be included as part of the Ignition file (using something like a Terraform template file) but will end up as a file in plain text on the system so anyone with sudo will be able to read the value. While you should trust the users your provide with sudo access, is there a recommended approach for managing secrets on CoreOS systems (specifically for systemd units?)

1 Like