-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue #56: Adds vault-ui ingress #65
Changes from all commits
08e2f9d
a1dd62e
f2477b6
924538c
658ec4c
063460f
af7fa64
d94ca05
c558fac
aa7ff60
fb601e1
8a06594
d70afd0
cb9b90e
135f811
474803d
c225432
c6ca88b
0d6108e
305ab4f
5838a45
eb666e2
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
# Secret management | ||
|
||
## Introduction | ||
|
||
Secrets are sensitive pieces of information that should be protected from | ||
unauthorized access. In the context of a Kubernetes cluster, secrets are used to | ||
store sensitive data such as passwords, tokens, and keys. To allow for secure | ||
and efficient management of secrets, we are using HashiCorp Vault, a tool that | ||
is designed to manage secrets and protect sensitive data. Vault provides a | ||
centralized way to manage access to secrets and encryption keys, and it also has | ||
the ability to generate dynamic secrets on demand. This document provides an | ||
overview of the secret management process and the role of Vault in securing and | ||
managing secrets in the Kubernetes cluster. | ||
|
||
## Vault architecture | ||
|
||
Vault is a highly available and distributed system that is designed to provide | ||
secure storage and management of secrets. It is built on a client-server | ||
architecture, with the server being the central component that stores and | ||
manages secrets, and the clients being the applications and services that access | ||
the secrets. The server is responsible for authenticating clients, authorizing | ||
access to secrets, and providing encryption and decryption services. The server | ||
is also responsible for generating dynamic secrets on demand, which are | ||
short-lived and are automatically revoked after a certain period of time. | ||
|
||
Current configuration allows vault to inject secrets into pods using a sidecar | ||
container that runs the Vault Agent Injector. The Vault Agent Injector is a | ||
mutating webhook that intercepts requests to create or update pods and injects | ||
secrets into the pod's file system. This allows clients (hosted applications) to | ||
access secrets as files, which is a secure and efficient way to manage secrets | ||
in a Kubernetes environment. | ||
|
||
The following diagram illustrates the workflow of the Vault Agent Injector and | ||
how developers can manage secrets of hosted applications: ![Developer workflow | ||
diagram](img/vault-argocd-workflow.svg) | ||
|
||
## Secret management process | ||
|
||
The secret management process involves the following steps: | ||
|
||
1. **Secret creation**: Secrets are created and stored in Vault using the Vault | ||
CLI or API. When a secret is created, it is encrypted and stored in the | ||
central Vault server. | ||
|
||
2. **Secret retrieval**: Applications and services can retrieve secrets from | ||
Vault using the Vault CLI or API. When a secret is retrieved, it is | ||
decrypted and returned to the client in a secure manner. | ||
|
||
3. **Dynamic secret generation**: Vault has the ability to generate dynamic | ||
secrets on demand. This means that instead of storing static secrets in | ||
Vault, Vault can generate short-lived secrets that are automatically revoked | ||
after a certain period of time. This provides an additional layer of | ||
security and reduces the risk of unauthorized access to secrets. | ||
|
||
4. **Access control**: Vault provides fine-grained access control to secrets, | ||
allowing administrators to define policies that specify which clients can | ||
access which secrets. This ensures that only authorized clients can access | ||
sensitive data. Currently, we are using the Kubernetes authentication method | ||
to authenticate hosted applications and authorize access to secrets. As for | ||
the human users, we are using the Github authentication method to | ||
authenticate and authorize access to secrets. | ||
|
||
## Create, read, update, and delete secrets | ||
|
||
Vault provides a UI service to manage secrets. The UI service is a web-based | ||
user interface that allows administrators to create, read, update, and delete | ||
secrets. The service also provides a way to manage access control policies and | ||
audit logs. The service is accessible through a web browser and is protected by | ||
the same security mechanisms as the Vault server. | ||
|
||
### Steps | ||
|
||
1. In order to gain access to the Vault UI service, you need to have the | ||
appropriate permissions and access to the Vault URL. It is currently | ||
configured to give access to any member of the `ai-cfia` organization on | ||
Github. | ||
2. Generate a personal access token on Github and use it to authenticate to the | ||
Vault UI service. The scope of the token should be : ![PAT token | ||
scope](img/pat-token-scope.png) | ||
3. Gain access to the Vault UI service by navigating to the Vault URL in a web | ||
browser. You will be prompted to authenticate using your Github PAT token. | ||
4. Once authenticated, you will be able to create, read, update, and delete | ||
secrets using the UI service. Simply navigate to the PV secret engine and | ||
follow the path to your applications secrets. The PV secret engine is a | ||
key-value store that allows you to store and manage secrets for your | ||
applications. ![PV secret engine](img/pv-secret-engine.png) | ||
5. Once in the directory of your application secrets, simply click on 'create | ||
new version' and you will be able to add, update, or delete secrets as | ||
needed. ![Create mew secret](img/create-new-secret.png) | ||
|
||
## Argo CD Vault plugin (AVP) | ||
|
||
The [argocd-vault-plugin](https://argocd-vault-plugin.readthedocs.io/en/stable/) | ||
is used to manage secrets inside our deployments the Gitops way. It allows to | ||
use `<placeholders>` in any YAML or JSON files that have been templated and make | ||
use of annotations to provide the path and version of a secret inside vault. | ||
|
||
An example of usage is showcased inside the demo app sample. The official | ||
[documentation](https://argocd-vault-plugin.readthedocs.io/en/stable/howitworks/) | ||
for the plugin is well explained and can be followed according to the usecase | ||
needed. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
--- | ||
apiVersion: networking.k8s.io/v1 | ||
kind: Ingress | ||
metadata: | ||
name: vault-ui | ||
namespace: vault | ||
labels: | ||
app.kubernetes.io/name: vault-ui | ||
app.kubernetes.io/instance: vault | ||
annotations: | ||
nginx.ingress.kubernetes.io/whitelist-source-range: 200.194.32.0/24 | ||
external-dns.alpha.kubernetes.io/target: inspection.alpha.canada.ca | ||
cert-manager.io/cluster-issuer: letsencrypt-prod | ||
nginx.ingress.kubernetes.io/rewrite-target: / | ||
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" | ||
kubernetes.io/tls-acme: "true" | ||
spec: | ||
ingressClassName: nginx | ||
tls: | ||
- hosts: | ||
- "vault.inspection.alpha.canada.ca" | ||
secretName: vault-ui | ||
rules: | ||
- host: "vault.inspection.alpha.canada.ca" | ||
http: | ||
paths: | ||
- path: / | ||
pathType: Prefix | ||
backend: | ||
service: | ||
name: vault-ui | ||
port: | ||
name: https |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
namespace: vault | ||
Check warning on line 1 in kubernetes/aks/system/vault/base/vault-config-operator/kustomization.yaml GitHub Actions / yaml-check / yaml-lint-check
|
||
|
||
resources: | ||
- policies.yaml | ||
- roles.yaml | ||
- kv-secret-engine.yaml |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: redhatcop.redhat.io/v1alpha1 | ||
Check warning on line 1 in kubernetes/aks/system/vault/base/vault-config-operator/kv-secret-engine.yaml GitHub Actions / yaml-check / yaml-lint-check
|
||
kind: SecretEngineMount | ||
metadata: | ||
name: kv | ||
spec: | ||
authentication: | ||
path: kubernetes | ||
role: config-admin | ||
type: kv |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
apiVersion: redhatcop.redhat.io/v1alpha1 | ||
Check warning on line 1 in kubernetes/aks/system/vault/base/vault-config-operator/policies.yaml GitHub Actions / yaml-check / yaml-lint-check
|
||
kind: Policy | ||
metadata: | ||
name: secrets-writer | ||
spec: | ||
authentication: | ||
path: kubernetes | ||
role: config-admin | ||
policy: | | ||
# create secrets | ||
path "kv/data/{{identity.entity.aliases.${auth/kubernetes/@accessor}.metadata.service_account_namespace}}" { | ||
capabilities = [ "create", "update", "delete" ] | ||
} | ||
--- | ||
apiVersion: redhatcop.redhat.io/v1alpha1 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. future issue: document and explain reliance on redhat.io There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. referenced in #99 |
||
kind: Policy | ||
metadata: | ||
name: secrets-reader | ||
spec: | ||
authentication: | ||
path: kubernetes | ||
role: config-admin | ||
policy: | | ||
path "kv/data/{{identity.entity.aliases.${auth/kubernetes/@accessor}.metadata.service_account_namespace}}" { | ||
capabilities = [ "read" ] | ||
} | ||
--- | ||
apiVersion: redhatcop.redhat.io/v1alpha1 | ||
kind: Policy | ||
metadata: | ||
name: config-admin | ||
spec: | ||
authentication: | ||
path: kubernetes | ||
role: config-admin | ||
policy: | | ||
path "sys/*" { | ||
capabilities = ["create", "read", "update", "delete", "list", "sudo"] | ||
} | ||
|
||
path "auth/*" { | ||
capabilities = ["create", "read", "update", "delete", "list", "sudo"] | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
apiVersion: redhatcop.redhat.io/v1alpha1 | ||
Check warning on line 1 in kubernetes/aks/system/vault/base/vault-config-operator/roles.yaml GitHub Actions / yaml-check / yaml-lint-check
|
||
kind: KubernetesAuthEngineRole | ||
metadata: | ||
name: config-admin | ||
spec: | ||
authentication: | ||
path: kubernetes | ||
role: config-admin | ||
path: kubernetes | ||
policies: | ||
- config-admin | ||
targetServiceAccounts: | ||
- default | ||
targetNamespaces: | ||
targetNamespaces: | ||
- vault | ||
--- | ||
apiVersion: redhatcop.redhat.io/v1alpha1 | ||
kind: KubernetesAuthEngineRole | ||
metadata: | ||
name: secrets-writer | ||
spec: | ||
authentication: | ||
path: kubernetes | ||
role: config-admin | ||
path: kubernetes | ||
policies: | ||
- secrets-writer | ||
targetServiceAccounts: | ||
- "*" | ||
targetNamespaces: | ||
targetNamespaces: | ||
- "*" | ||
--- | ||
apiVersion: redhatcop.redhat.io/v1alpha1 | ||
kind: KubernetesAuthEngineRole | ||
metadata: | ||
name: secrets-reader | ||
spec: | ||
authentication: | ||
path: kubernetes | ||
role: config-admin | ||
path: kubernetes | ||
policies: | ||
- secrets-reader | ||
targetServiceAccounts: | ||
- "*" | ||
targetNamespaces: | ||
targetNamespaces: | ||
- "*" |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
enableMonitoring: false | ||
Check warning on line 1 in kubernetes/aks/system/vault/helm/vault-config-operator.values.yaml GitHub Actions / yaml-check / yaml-lint-check
|
||
enableCertManager: true | ||
env: | ||
- name: VAULT_ADDR | ||
value: https://vault.vault:8200 | ||
- name: VAULT_CACERT | ||
value: /vault-certs/vault.ca | ||
volumes: | ||
- name: vault-certs | ||
secret: | ||
secretName: vault-ha-tls | ||
volumeMounts: | ||
- mountPath: /vault-certs | ||
name: vault-certs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Create follow issue to turn this into an ADR to review by team and security.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Opened ai-cfia/dev-rel-docs#117