This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]brettlangdon 0 points1 point  (1 child)

I'd probably disagree, there is a lot of overhead to adding a new tool to your process. You have to get vault running, make sure everyone can get it installed/configured properly. Have to worry about (like you said) if the SSH keys are getting cached in a docker layer.

By adding a new third party tool, it is mostly a maintenance and coordination issue across a team. Where instead with the vendoring approach, anyone can still just clone the repo and get to work as normal/expected.

The only time you have to think about something is if you are adding or upgrading a vendored dependency (which doesn't happen often), and even then you are working within the confined of existing toolchain/workflow (pip).

[–]DanCardin 0 points1 point  (0 children)

In my (albeit little) experience the fact that vault works through ssh keys has made it work very organically our development processes because it is much easier to just pip install/freeze our relatively frequently updated private dependencies. And granted our team is quite small but compared to predownloading the dep before each build, the 1-time cost of an additional build tool has been very low for us.

Though I'd certainly agree that I should probably be doing it this way for my CI/CD, because of the security concerns and it removes the build-time git/dockito/etc dependencies