feat: RFD ????: Dealing with Vault (credentials).

cloudfoundry-incubator / kubecf

Cloud Foundry on Kubernetes

Apache License 2.0

115 stars 62 forks source link

feat: RFD ????: Dealing with Vault (credentials). #1645

Closed mook-as closed 3 years ago

mook-as commented 3 years ago

Description

Adds a discussion / documentation on how we intend to use Vault to manage our credentials.

Motivation and Context

We need to sort out how we want to approach #1607 / #1608.

How Has This Been Tested?

N/A

Types of changes

[ ] Bug fix (non-breaking change which fixes an issue)
[ ] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

[ ] My code has security implications.
[ ] My code follows the code style of this project.
[ ] My change requires a change to the documentation.
[ ] I have updated the documentation accordingly.

mook-as commented 3 years ago

For the secret paths thing, I'm leaning towards:

Have two trees, secrets/ (K/V v2) for the actual secrets, and mapped/ (K/V v1) for consumption by the pipelines. (Names pending, those are kind of terrible.)
Have automation to copy secrets/ into mapped/ and delete anything in the second tree that isn't configured to exist (as configured by some secret inside secrets/).

That should hopefully ensure we don't make one-off things that can't be tracked. That does mean we now have a pretty powerful role that can read all secrets, though.

jandubois commented 3 years ago

This PR doesn't scribe the current status quo, but there is currently no plan either to implement the changes documented in it either, so closing it for now. We can always re-open if/when we get back to it.