Sync secrets for an environment#
Before syncing secrets for an environment, you should normally audit the secrets so that you know what will change. See Audit secrets for an environment.
To populate Vault with all of the necessary secrets for an environment named <environment>
, run:
phalanx secrets sync <environment>
The VAULT_TOKEN
environment variable must be set to the Vault write token for this environment.
Add the --secrets
command-line option or set OP_CONNECT_TOKEN
if needed for your choice of a static secrets source.
This must be done before installing a Phalanx environment for the first time. It can then be run again whenever the secrets for that environment change.
Deleting secrets#
By default old secrets that are no longer required are deleted out of Vault.
To delete obsolete secrets, pass the --delete
flag to phalanx secrets sync.
This will keep your Vault tidy, but you should use this flag with caution if you have applications temporarily disabled or if you store static secrets directly in Vault and nowhere else. This flag will delete anything that phalanx secrets sync thinks is not used, and recovering those secrets may be annoying.
Regenerating secrets#
By default, phalanx secrets sync will leave any existing generated secrets set to their current values.
This is almost always what you want.
In the rare case where you are completely reinstalling an environment and want to invalidate all existing secrets (such as after a security breach), you can add the --regenerate
flag to regenerate all static secrets.
Warning
Using --regenerate
will invalidate all user sessions, all user tokens, and other, possibly unanticipated, interactions with the existing cluster.
It will also break most running Phalanx applications until their secrets have been recreated and they have been restarted.
This should only be used when you also plan to empty the Gafaelfawr database and otherwise reset the environment to start fresh.