SPIKE - Secret management in Helm Charts

[esune]

Evaluate options for more efficient secret management in our Helm Charts (currently Traction and VC-AuthN).

Some of the options to evaluate are:

• Hashicorp Vault (https://www.vaultproject.io). A provider for Helm is https://github.com/Just-Insane/helm-vault
• Argo CD (https://argo-cd.readthedocs.io). A potential plugin is https://luafanti.medium.com/injecting-secrets-from-vault-into-helm-charts-with-argocd-43fc1df57e74
• Using Github secrets

Things to consider when evaluating:

• Effort to implement the solution and related changes (i.e.: need for private repos)
• BC Gov needs vs. community needs: are we locking ourselves into a specific solution? If so, is it worth it, or are there other options?

Acceptance Criteria: Document (as part of this issue, or HackMD) the pros/cons of the above options (and potentially others not listed) so that a recommendation on what the next steps should be can be made.

[esune]

FYI @WadeBarnes @i5okie

[WadeBarnes]

Platform services host instances of Hashicorp Vault and Argo CD. The plan so far is to at least use Hashicorp Vault to provide better secrets management and open the door to automated key/password rotation for our services. This allows machine managed access to services. For example if we use these features on a postgres database, a developer would have to be granted permissions to get a temporal password to access the system. We are also looking into using 1Password Secrets Automation to integrate with Vault to provide better secrets management from a team perspective, allowing credentials to be updated in 1Password and automatically distributed to our various environments and platforms.

[hiteshgh]

Assigned to @i5okie

[WadeBarnes]

Closing this as we're addressing in https://github.com/bcgov/DITP-DevOps/issues/158