REQ: external secret management #279
-
Introduction
The multi-tenant environment puts extra requirements on configuration management and data access control. At otomi we promote git operations and infrastructure as a code design patterns. At the same time we want to ensure that customer sensitive data is perfectly safe. Data encryption and access control does not play nicely with git. It often leads to merge conflicts and there is no access control at all. Therefore secret values need to be abstracted from git repository in a way that otomi can still benefit from mentioned design patters. The goal of this document is to provide a deep insight into secret management issue for multitenant environments. This document describes user stories, system requirements, and system architecture. This document aims to give a guideline for the implementation. Some open-source solutions has been already selected and taken into account in this text. These are: Note: related code change can be found on abstract-secret-management branch. Github issue: #263 |
Beta Was this translation helpful? Give feedback.
Replies: 12 comments 28 replies
-
Ver elaborate starting point. Thanks a lot! Can the |
Beta Was this translation helpful? Give feedback.
-
Also, I would propose a master cluster that runs a Vault HA setup, to be replicated to a slave cluster. Other clusters can pull from the master Vault, and we can failover to another one if need be. |
Beta Was this translation helpful? Give feedback.
-
Actually, forget about the replication. We can always dump bucket folders if we don't trust cloud object storage. A failover vault can attach to the bucket without a problem if a cluster goes down. |
Beta Was this translation helpful? Give feedback.
-
Well done with this elaboration!
I think you are confusing this with distributed and integrated storage. In the stand-up I was thinking about a solution like this: https://learn.hashicorp.com/tutorials/vault/raft-storage. The idea would be to expose the Vault deployment to the end-user so there doesn't need to be any configuration of external storage, in my experience that leads to a hassle. It's not that this doesn't have it's own challenges (CAP theorem and all that), but it might take complexity away from the end-user into our hands. |
Beta Was this translation helpful? Give feedback.
-
I investigated ExternalSecrets and possible race conditions: |
Beta Was this translation helpful? Give feedback.
-
I love all that this has to offer. I swerve in two directions now: First thought: we should ditch current "generic" secret creation where we let the teams create them in the console. Than we will instead only use bank-vaults injection. We can then also skip etcd encryption at rest (what else is sensitive?). Second thought: Suddenly I start favoring the second idea above all else. We then also have to keep our current setup where we select keys from a shared secret, as it would be preferable to not generate one k8s secret per envVar or file. Instead of inputting values during "generic" secret creation, we let users give the vault key. Nightly dialogue with myself paid off ;) |
Beta Was this translation helpful? Give feedback.
-
I am trying to define some user scenarios for secrets creation: My design goals are:
Below there are two proposals: A user can create am external-secret in otomi-console
A user can change secret value:
A user can change external-secret version:
@Morriz I would be thankful if you could help with that. |
Beta Was this translation helpful? Give feedback.
-
Can I ask where the story is for these requirements? Can you add a link to that in the top @j-zimnowoda ? |
Beta Was this translation helpful? Give feedback.
-
An admin can bootstrap chart secrets (not covered by MVP 1)Let’s start from simple statement:
Below there are examples of the secret jsonpaths that otomi-core is using:
Note: this list may not be complete and it is responsibility of task owner to come up with full list of secrets A guideline for secrets migration in
|
Beta Was this translation helpful? Give feedback.
-
@j-zimnowoda we want to add the following requirements:
otomi:
vault:
exists: false
provider: (azure|aws|hashicorp)
aws: ...
azure: ...
hashicorp: ...
So you are now aware that we should have an open configuration that allows swapping vaults. |
Beta Was this translation helpful? Give feedback.
-
User stories
System requirementsVault security
Vault storage
Vault HA
Secrets
ArchitectureStructure of secretsMount path is used for organising secrets in a structured way. The can be also used to define polices and to restrict access. For multitenant cluster the following path naming convetion is proposed: secret/teams//category// For example:
For multi organization solution above paths can be prefixed with Vault secret enginesSecrets engines are components which store, generate, or encrypt data. [1] At otomi platform the following secrets engine are going to be used:
secret engine can be used in production environment. For onprem setup the secret engine is not defined yet. For platform development purpose the [Google Cloud KMS] can be disabled used. Vault policiesProperly organized structure of secrets enables to apply vault policies efficiently. The vault policy is a collection of paths, each has associated capabilities. A policies can be associated with Some policy examples are presented below:
Vault authenticationIn otomi platform the vault Kubernetes and OIDC authentication methods are going to be supported. Vault authorization policiesThe vault also introduces concept of groups. Any group can contain many vault policies. In otomi we leverage groups claim for OIDC scope that can contain many team names. In vault we map OIDC groups claim to vault group by creating identity group-alias Note: we are not going to use vault templated policies, as they are difficult to define declarative and we can achive multi tenancy just by assigning policies to groups. References: Multicluster supportEach cluster has its own standalone Vault instance. References: |
Beta Was this translation helpful? Give feedback.
User stories
An admin can bootstrap otomi-core internal secretsSystem requirements
Vault security