In our current NDR-model deployment approach, credentials.yml.enc (and other YAML files using the Rails Encrypted mechanisms) are preloaded onto servers out-of-band from deployments, and symlinked into releases. If they need to be updated, there are a number of hoops to jump through due to read-only filesystems.
Ideally, capistrano would be able to be configured to search the key store repository for matching file(s), and deploy them to the server; both as part of a standard deployment, as well as via a standalone task (e.g. for key rotations).
@bshand: we'd talked previously about potentially supporting a directory structure with some sort of mirroring or significance - have you got any thoughts on that, or any others generally?
In our current NDR-model deployment approach,
credentials.yml.enc
(and other YAML files using the RailsEncrypted
mechanisms) are preloaded onto servers out-of-band from deployments, and symlinked into releases. If they need to be updated, there are a number of hoops to jump through due to read-only filesystems.Ideally, capistrano would be able to be configured to search the key store repository for matching file(s), and deploy them to the server; both as part of a standard deployment, as well as via a standalone task (e.g. for key rotations).