We need a versatile but secure way to persist clusters' config (validators keys, cluster-lock, and cluster.env) to be used by CICD tools and team members.
Solution
There are a few reasonable options such as hashicorp vault, GCP Secrets Manager, GCS, and GitHub secrets. We decided to use GCS as it is the least option to introduce operational complexity while it is secure and inherits GCP RBAC rules. In the mid-term, we will reconsider this choice in favor of Vault.
Problem
We need a versatile but secure way to persist clusters' config (validators keys, cluster-lock, and cluster.env) to be used by CICD tools and team members.
Solution
There are a few reasonable options such as hashicorp vault, GCP Secrets Manager, GCS, and GitHub secrets. We decided to use GCS as it is the least option to introduce operational complexity while it is secure and inherits GCP RBAC rules. In the mid-term, we will reconsider this choice in favor of Vault.