Create Dynamic Jobs Using Different Secrets Where You Can Refer To Specific Vault-Paths.

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Proposal

Be able to create dynamic jobs using different secrets, whereby you need to refer to specific vault-paths.

For example:

#job1
secrets:
  ARM_CLIENT_SECRET:
    vault: $ARM_CLIENT_SECRET_VAULT_PATH
#job2
secrets:
  GOOGLE_CREDENTIALS:
    vault: $GOOGLE_CREDENTIALS_VAULT_PATH

We should be able to dynamically elaborate the secret variable (GOOGLE_CREDENTIALS or ARM_CLIENT_SECRET) depending on the environment.

To further elaborate, under ci/cd settings currently we have "variables" and we can save the variables as variables or files and then bind those to an environment. 

Same thing we would like to have with "secrets" and be able to save them as vault k/v path but also bound to an environment.

We should be able to set a variable as the vault path, but depending on environment that would look differently. Sure we can set:

#job1
secrets:
  ARM_CLIENT_SECRET:
    vault: $ARM_CLIENT_SECRET_VAULT_PATH
environment: qual
#job2
secrets:
 GOOGLE_CREDENTIALS:
    vault: $GOOGLE_CREDENTIALS_VAULT_PATH
environment: dev

But that would be bound to the Job and not to the secret. What we'd rather have is:

#job1
secrets:
  ARM_CLIENT_SECRET:
    vault: $ARM_CLIENT_SECRET_VAULT_PATH
    environment: qual*

This would allow something like this:

#job2
secrets:
 GOOGLE_CREDENTIALS:
    vault: $GOOGLE_CREDENTIALS_VAULT_PATH
    environment: dev*
  ARM_CLIENT_SECRET:
    vault: $ARM_CLIENT_SECRET_VAULT_PATH
    environment: qual*

Which would allow total flexibility within secrets, not only on the job level.