IC2 Core Extentions : HashiCorp Vault


I have a generic question regarding expanding IC2 core code (C++) with extra functionality.

Recently it was raised on a security audit that stored secrets in IC2 code (ex. passwords for MySQL checks etc.) should be secured and not stored in plain text (even if access to nodes where config is replicated is fully audited/restricted).

As we are Software Warehouse and have C++ team with years of experience and IC2 is available in GPL license guessing there is no problem with changing code - and of course giving back later to community if it works!

So idea is to instead of saying ex. vars.mysql_password = ‘SOMETHING’ be able to say vars.mysql_password = ‘vault://secrets/mysql_password’ and this will fetch it from our centralised secrets database (HashiCorp Vault).

Can somebody from DEV maybe comment is in case of any general questions regarding code can we use this forum or maybe some email list is better? Any prefences, any general feedback prior we starting to estimate work?


There’s already an issue on GitHub regarding this topic, I think it would be best having that discussion over there: Allow to hash/encrypt credentials or use an external storage · Issue #6404 · Icinga/icinga2 · GitHub