[Spike] Validate Aembit + Bitwarden integration on Flatcar #173
Description
Spike Summary
Validate that Aembit can fetch Bitwarden secrets via a local proxy on Flatcar before committing to full implementation.
Timebox: 3 days
✅ Success Criteria
- Aembit account created and configured with Bitwarden credential provider
- Aembit agent running on a test Flatcar instance (manual install, not sysext yet)
- Can successfully
curl http://localhost:8080/secrets/<secret-name>to retrieve a Bitwarden secret - Understand the exact API format for secret requests/responses
- Document any Flatcar-specific gotchas (systemd, networking, etc.)
📝 Research Questions
- Bitwarden Integration: Does Aembit support Bitwarden Secrets Manager as a credential provider? What's the configuration?
- Proxy API: What's the exact curl syntax to fetch secrets? Authentication required?
- Flatcar Compatibility: Any issues running aembit-agent on Flatcar's immutable filesystem?
- Enrollment Flow: How does the enrollment token → authenticated proxy flow work in practice?
📦 Deliverables
- Working proof-of-concept on test instance
- Documentation of API calls and configuration
- Go/No-Go recommendation for full implementation
- If No-Go: alternative approaches identified
🎯 Impact on Epic
If successful:
- Remaining stories become predictable (Low complexity)
- Epic potentially downgrades from Medium to Small
- High confidence in implementation approach
If unsuccessful:
- Identify blockers before investing in full implementation
- Pivot to alternative secret management approach
- Update epic scope accordingly
📦 Definition of Done
- Success criteria validated (or blockers documented)
- Findings documented in epic or Linear comment
- Go/No-Go decision made
- Dependent stories unblocked or epic re-scoped