-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue #56: Adds vault-ui ingress #65
Merged
SonOfLope
merged 22 commits into
main
from
56-as-a-developer-i-would-like-an-ingress-to-access-the-vault-ui-and-configure-secrets
Mar 21, 2024
Merged
Changes from 10 commits
Commits
Show all changes
22 commits
Select commit
Hold shift + click to select a range
08e2f9d
Issue #56: Adds vault-ui ingress
SonOfLope a1dd62e
Issue #56: Adds external-dns annotations
SonOfLope f2477b6
Issue #56: Fix external-dns annotation
SonOfLope 924538c
Issue #56: Remove https annotation
SonOfLope 658ec4c
Issue #56 : Force https
SonOfLope 063460f
Issue #56: cluster-issuer annotation fix
SonOfLope af7fa64
Issue #56: change port binding and annotations
SonOfLope d94ca05
Issue #56: revert changes to working fix
SonOfLope c558fac
Issue #56: enable tls communication
SonOfLope aa7ff60
Issue #56: Add vault documentation
SonOfLope fb601e1
Issue #56: Rename Vault-argoCD-workflow.svg to vault-argocd-workflow.svg
SonOfLope 8a06594
Issue #56: Adds crds for vault config operator. Still needs a fix bec…
SonOfLope d70afd0
Merge branch 'main' into 56-as-a-developer-i-would-like-an-ingress-to…
SonOfLope cb9b90e
Issue #56: Delete .github/workflows/test.yml
SonOfLope 135f811
Issue #56: Fix doc deadlink
SonOfLope 474803d
Issue #56: Fixing yaml lint and file name based on convention
SonOfLope c225432
Issue #56: Fix markdown png reference
SonOfLope c6ca88b
Issue #56: Updated in order to merge. config operator will be pushed …
SonOfLope 0d6108e
Issue #56: revert value file changes
SonOfLope 305ab4f
Issue #56: update value file name
SonOfLope 5838a45
Merge branch 'main' into 56-as-a-developer-i-would-like-an-ingress-to…
SonOfLope eb666e2
Issue #56: update vault documentation with argo plugin
SonOfLope File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
name: Python api-test workflows | ||
|
||
on: | ||
pull_request: | ||
types: | ||
- opened | ||
- closed | ||
- synchronize | ||
|
||
jobs: | ||
lint-test: | ||
uses: ai-cfia/github-workflows/.github/workflows/workflow-lint-test-python.yml@main | ||
secrets: inherit | ||
|
||
markdown-check: | ||
uses: ai-cfia/github-workflows/.github/workflows/workflow-markdown-check.yml@main | ||
with: | ||
config-file-path: '.mlc_config.json' | ||
secrets: inherit | ||
|
||
repo-standard: | ||
uses: ai-cfia/github-workflows/.github/workflows/workflow-repo-standards-validation.yml@main | ||
secrets: inherit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
File renamed without changes
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
# Secret management | ||
|
||
## Introduction | ||
|
||
Secrets are sensitive pieces of information that should be protected from | ||
unauthorized access. In the context of a Kubernetes cluster, secrets are used to | ||
store sensitive data such as passwords, tokens, and keys. To allow for secure | ||
and efficient management of secrets, we are using HashiCorp Vault, a tool that | ||
is designed to manage secrets and protect sensitive data. Vault provides a | ||
centralized way to manage access to secrets and encryption keys, and it also has | ||
the ability to generate dynamic secrets on demand. This document provides an | ||
overview of the secret management process and the role of Vault in securing and | ||
managing secrets in the Kubernetes cluster. | ||
|
||
## Vault architecture | ||
|
||
Vault is a highly available and distributed system that is designed to provide | ||
secure storage and management of secrets. It is built on a client-server | ||
architecture, with the server being the central component that stores and | ||
manages secrets, and the clients being the applications and services that access | ||
the secrets. The server is responsible for authenticating clients, authorizing | ||
access to secrets, and providing encryption and decryption services. The server | ||
is also responsible for generating dynamic secrets on demand, which are | ||
short-lived and are automatically revoked after a certain period of time. | ||
|
||
Current configuration allows vault to inject secrets into pods using a sidecar | ||
container that runs the Vault Agent Injector. The Vault Agent Injector is a | ||
mutating webhook that intercepts requests to create or update pods and injects | ||
secrets into the pod's file system. This allows clients (hosted applications) to | ||
access secrets as files, which is a secure and efficient way to manage secrets | ||
in a Kubernetes environment. | ||
|
||
The following diagram illustrates the workflow of the Vault Agent Injector and | ||
how developers can manage secrets of hosted applications: | ||
![Developer workflow diagram](img/Vault-argoCD-workflow.svg) | ||
|
||
## Secret management process | ||
|
||
The secret management process involves the following steps: | ||
|
||
1. **Secret creation**: Secrets are created and stored in Vault using the Vault | ||
CLI or API. When a secret is created, it is encrypted and stored in the | ||
central Vault server. | ||
|
||
2. **Secret retrieval**: Applications and services can retrieve secrets from | ||
Vault using the Vault CLI or API. When a secret is retrieved, it is | ||
decrypted and returned to the client in a secure manner. | ||
|
||
3. **Dynamic secret generation**: Vault has the ability to generate dynamic | ||
secrets on demand. This means that instead of storing static secrets in | ||
Vault, Vault can generate short-lived secrets that are automatically revoked | ||
after a certain period of time. This provides an additional layer of | ||
security and reduces the risk of unauthorized access to secrets. | ||
|
||
4. **Access control**: Vault provides fine-grained access control to secrets, | ||
allowing administrators to define policies that specify which clients can | ||
access which secrets. This ensures that only authorized clients can access | ||
sensitive data. Currently, we are using the Kubernetes authentication method | ||
to authenticate hosted applications and authorize access to secrets. As for | ||
the human users, we are using the Github authentication method to | ||
authenticate and authorize access to secrets. | ||
|
||
## Create, read, update, and delete secrets | ||
|
||
Vault provides a UI service to manage secrets. The UI service is a web-based | ||
user interface that allows administrators to create, read, update, and delete | ||
secrets. The service also provides a way to manage access control policies | ||
and audit logs. The service is accessible through a web browser and is | ||
protected by the same security mechanisms as the Vault server. | ||
|
||
### Steps | ||
|
||
1. In order to gain access to the Vault UI service, you need to have the | ||
appropriate permissions and access to the Vault URL. It is currently | ||
configured to give access to any member of the `ai-cfia` organization on | ||
Github. | ||
2. Generate a personal access token on Github and use it to authenticate to the | ||
Vault UI service. The scope of the token should be : ![PAT token | ||
scope](img/pat-token-scope.png) | ||
3. Gain access to the Vault UI service by navigating to the Vault URL in a web | ||
browser. You will be prompted to authenticate using your Github PAT token. | ||
4. Once authenticated, you will be able to create, read, update, and delete | ||
secrets using the UI service. Simply navigate to the PV secret engine and | ||
follow the path to your applications secrets. The PV secret engine is a | ||
key-value store that allows you to store and manage secrets for your | ||
applications. ![PV secret engine](img/pv-secret-engine.png) | ||
5. Once in the directory of your application secrets, simply click on 'create | ||
new version' and you will be able to add, update, or delete secrets as | ||
needed. ![Create mew secret](img/create-new-secret.PNG) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
--- | ||
apiVersion: networking.k8s.io/v1 | ||
kind: Ingress | ||
metadata: | ||
name: vault-ui | ||
namespace: vault | ||
labels: | ||
app.kubernetes.io/name: vault-ui | ||
app.kubernetes.io/instance: vault | ||
annotations: | ||
external-dns.alpha.kubernetes.io/target: inspection.alpha.canada.ca | ||
cert-manager.io/cluster-issuer: letsencrypt-prod | ||
nginx.ingress.kubernetes.io/rewrite-target: / | ||
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" | ||
kubernetes.io/tls-acme: "true" | ||
spec: | ||
ingressClassName: nginx | ||
tls: | ||
- hosts: | ||
- "vault.inspection.alpha.canada.ca" | ||
secretName: vault-ui | ||
rules: | ||
- host: "vault.inspection.alpha.canada.ca" | ||
http: | ||
paths: | ||
- path: / | ||
pathType: Prefix | ||
backend: | ||
service: | ||
name: vault-ui | ||
port: | ||
name: https |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Create follow issue to turn this into an ADR to review by team and security.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Opened ai-cfia/dev-rel-docs#117