Open Stack

Hi all,
I'd like to find out what are people using right now / consider best practice for passing private data into instances at boot. (and how you feel about it)
By private data I mean things like:
- password to your databases / message queue / service endpoint
- keys / bootstrap information for orchestration / deployment
- keys required for backups
- certificate private keys for web services

The current options I'm aware of are:
- metadata / files / scripts passed via the metadata service
- embedding data into the image
- pushing, rather than pulling (credentials bootstrap over ssh)

The first two come with the downside of the uncertain data retention: metadata database may be backed up forever and can't be explicitly deleted by the user, images may be backed up but can be explicitly deleted. The third comes with the downside of being limited to ssh deployment tools.

So what's your process and have you seen projects offering something better?

Best Regards,
Stanisław Pitucha

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3508 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20151022/4ccd7fb7/attachment.bin>