Add flyctl commands for managing secrets that are kms keys #3901
Conversation
|
TODO: This needs go.mod changes for new fly-go/flaps version once that lands. |
|
manually tested listing, setting, and deleting kms secrets (with pr flaps client, and flaps server on dev gw), and verified that keys are visible in machine's kmsfs (with flyd pr that allows qmx machines to start kmsfs). |
|
TODO: I should probably hide this command until we're ready to announce it. I think we'll want to iterate on a few of the rough edges in kmsfs/petsem/flaps/flyctl before we freshproduce this. |
- separate out generate from set.
Key deletion will iterate all existing keys, and delete any keys that match the command line label. If the command line label is unversioned, it will match all key versions. It will prompt before each deletion and print out a message after each deletion. The force flag suppresses prompting. Note: this means if there are no matching keys, no delete is attempted, and no message is printed, and no error is returned.
|
I updated key deletion to include some versioning smarts, prompting (suppressable with force flag) and output indicating which keys were deleted:
|
flyctl secrets keys now operates on semantic key types, not concrete key types.
Change Summary
What and Why: Adds
flyctl secrets keyscommands for adding, removing, and listing KMS keys. This will allow users to manage secrets that they can use with the kmsfs via/.fly/kmsin their machine.How: Makes calls via the flaps client to new endpoints.
Related to: nomad-firecracker PR #2599 which adds flaps endpoints for managing KMS secrets.
Documentation