My organization is using Openshift for running several applications. Our policy thus far has been to always store sensitive values (DB passwords, API keys, etc) in environment variables and never as part of the codebase. However, multiple projects each with Dev, QA, and Prod instances leads to having a lot of environment variables that need to be managed.
To help with this I wrote some tooling for us to be able to keep track of variables in YAML files and then declaratively apply them to an Openshift deploy-config. So far these YAML files are sitting in a local-only git repo on my workstation. This, though, has the obvious downsides of making it unusable for others on the dev team. However handling it like all our other git repos and pushing it to Gitlab or Github seems unacceptably risky.
Perhaps we could write git hooks to automatically GPG encrypt the files before committing and decrypt after pulling? What is the best practices way to store and share sensitive repos like this among teams?
