we consider using oVirt to deploy our VM infra. The question I have is: is there a way to safely inject secrets in VM.
We are using salt for VM management and Hashicorp vault for secrets management, so I want to deploy either some Vault secret (approle credentials, for instance) or preseeded salt minion keys.
This is done to securely identify new VM inside our infrastructure and provision it accordingly. We use gcloud GCE/IAM auth at the moment which is perfect for this case.
I am looking at VDSM Hooks atm, like fileinject (https://www.ovirt.org/develop/developer-guide/vdsm/hook/fileinject/), but I don't get the way it can manage secrets safely.
The perfect solution would be if oVirt could sign some kind of secret (like certificate) based on VM's name with its private key or via vault PKI and inject a signed cert / private key inside each VM.
