search

bcgov / SIMS

Student Information Management System. Post-Secondary Student Financial Aid System
Apache License 2.0
21 stars 13 forks source link

Implement Vaults #2156

Open andrewsignori-aot opened 11 months ago

andrewsignori-aot commented 11 months ago

As a Ministry Security Officer, I would like secrets to be stored and controlled using Hashicorp Vault.

Prerequisite Creation of vault secrets and implementation must occur in same sprint

Acceptance Criteria

Technical Context

Insert the following yaml into the spec/strategy/template/metadata Replace ${license-plate}, ${prod or nonprod} and secret1/2 with the real values

annotations:
    vault.hashicorp.com/agent-inject-secret-secrets.env: '${license-plate}-${prod or nonprod}/secret1,${license-plate}-${prod or nonprod}/secret2
    vault.hashicorp.com/namespace: platform-services
    vault.hashicorp.com/role: ${license-plate}-nonprod
    vault.hashicorp.com/agent-pre-populate-only: 'true'
    vault.hashicorp.com/agent-inject: 'true'
    vault.hashicorp.com/agent-inject-template-secrets.env: |
      {{- with secret "${license-plate}-${prod or nonprod}/secret1" -}}
      {{- range $key, $value := .Data.data -}}
      export {{ $key }}="{{ $value }}"{{ "\n" }}
      {{- end -}}
      {{- end -}}
      {{- with secret "${license-plate}-${prod or nonprod}/secret2" -}}
      {{- range $key, $value := .Data.data -}}
      export {{ $key }}="{{ $value }}"{{ "\n" }}
      {{- end -}}
      {{- end -}}

Add user into spec/strategy/template/spec

serviceAccount: ${license-play}-vault

Finally, you will need to either source the secrets.env file located at /vault/secrets/secrets.env as part of container startup or as part of the application code.

cditcher commented 7 months ago

Determined that this is a requirement. Will prioritize devops.

sslaws commented 1 month ago

I'd like to discuss the priority on this... I've put it in 2x

sslaws commented 1 week ago

Reminder to Stephen to follow up with Nick C regarding local OpenShift secret encryption.