This is almost exactly what I’ve been trying to find for some time. Unfortunately it’s missing the ability to fetch secrets/variables from something like Hashicorp vault.
I was thinking about creating a similar tool to separate the configuration from the application’s repo. The configuration then would be fetched from the CD system, from a KV store.
Regarding secrets, though. I would try to keep them separated from configuration, which doesn’t need to protected and should be easy to change. Ideally engineers should have an automated way to requests new secrets per environment for their app through some kind of peer review, at least for production without access to the secret in plaintext.
Now there’s a debate over where secrets must be stored and at which step should they be added to the application. Since vault features an HTTP API, I would create a shared library and have all applications use that share library which would handle secrets through vault. This way you can automate secrets rotation (e.g. every 2 or 6 hours) at the application level. The benefits are multiple: you get access patterns (for anomaly detection which could mean unauthorised retrieval), security in case of leaks (secrets rotated every 2 hours), no need for the CD system to access the secrets backend.
At work we’ve got oauth for all our applications and we can request temporary tokens. What I’m looking for is actually for my personal homelab. Everything is dockerized and most applications use some sort of text file for configuration. I’d like to keep these configs in version control but there are secrets scattered throughout that I’d like to template in. In addition most of the files for my docker stacks are almost identical (except for the image and mounts) so I’d also like to be able to generate new stacks from a common template.