Feel free to ask questions as an issue. Frequently asked questions will be copied here.

Q: How can I contribute to this project?

A: There are many ways in which you can contribute:

1. Contribute to core project: fork the repo, make a change, submit pull request. If you have doubts on whether your change is desirable (big changes in particular), open an issue first.
2. Spread the word! Why not help your colleagues save time too?
3. Buy me a coffee! ☕️

Q: Why does the secret ID have to be wrapped every time? If it's made constant with a higher use limit, the deployment would be easier!

A: The app (goldfish) unwrapping the secret ID is referred to "pull mode" of AppRole, and is highly recommended by HashiCorp. Ideally, the deployment should be codified (using Terraform, Kubernetes, Swarm, etc.), and re-deployments should really be just a couple of buttons.

Q: XYZ is broken!

A: Open an issue. I do work on this in my own time, so I can't guarantee any hard deadlines. But I should be able to tell you at least why it's broken, and perhaps a determined individual can submit a fix if I can't find the time.

Q: Can you implement this feature? When are you going to add this feature?

A: Hard deadlines will never be given to features. The Vault project itself - and a lot of other software projects - follows the same principle. At the end of the day, Goldfish is a free software provided in hopes that it will be useful, built mainly by one person (me) in their spare time. My personal life and career duties will come first. If you need a Vault UI that holds more liability, the enterprise UI may fit your needs.

Q: Why did you remove CSRF protection?

A: CSRF protection is only useful if there are cookies involved. As of v0.5.0, goldfish uses entirely token-based authentication, and therefore does not need CSRF protection. The only way for the token-based auth to be compromised is if anyone else has access to the transit key, AND localStorage is somehow stolen. This does mean that your browser now holds your Vault token. However, your browser likely holds a lot more than just that (e.g. all your passwords in Chrome).

Q: Why is the recommended goldfish approle setup periodic rather than ttl-limited?

A: If the approle is setup with a ttl or max_ttl, generated tokens will eventually expire (even if it is continuously renewed). If you want your goldfish deployment to stay up for more than 31 days, I would suggest a periodic token. Goldfish will attempt to renew its token every hour, and a periodic token would mean the token will stay alive for as long as goldfish is alive to renew it.