-
Use the secrets from the parent bosh as default values for CPI secrets
-
Provide a with-vault feature that adds a single vault job on the director instance -- not compatible with vault-credhub-proxy (same port)
-
Offer to import the secrets into the bosh-vault on initial deployment completion. (post-deploy hook, in conjuction with pre-deploy hook detecting that it is a brand-new deploy)
-
Have genesis create a local vault for initialization of secrets that will then be imported into the bosh vault on first deployment.
This will require genesis to support generate-on-new-deploy for secrets, including those secrets generated by the new-wizard.
- maybe it doesn't need to be genesis that creates the inital local vault, but the new wizard does...
- Rethink: still needs to be built into genesis because genesis looks for a vault. In fact, genesis init asks for a vault...