search

department-of-veterans-affairs / abd-vro

To get Veterans benefits in minutes, VRO software uses health evidence data to help fast track disability claims.
Other
19 stars 6 forks source link

Use LHDI's HashiCorp Vault for shared credentials #768

Closed yoomlam closed 1 year ago

yoomlam commented 1 year ago

Let's do this in Jan 2023. Dependent on LHDI providing the HashiCorp Vault.

Follow-on from #717, where a github "machine user" account was created. Use LHDI's HashiCorp Vault for shared credentials for these accounts so that admins (Yoom), SecRel maintainer (Seth), and DevOps have access to the accounts.

Slack

Document Secrets in each env and connect to HashiCorp Vault

yoomlam commented 1 year ago

Update:

The dev and prod stories are complete; there is just one more story to finish getting [HashiCorp Vault] ready for customer use (setting up onboarding, ArgoCD integration, and documentation for the most part). It's currently in work, so hopefully within the next sprint or two

yoomlam commented 1 year ago

Usage demo on Feb 15th

yoomlam commented 1 year ago

Not yet released this week. Pushing it to next sprint or until online documentation is available.

yoomlam commented 1 year ago

Not yet released.

yoomlam commented 1 year ago

Ready for use

yoomlam commented 1 year ago

Meeting with LHDI today to get started. I'll start creating a list of secrets currently in K8s so they can automated.

dianagriffin commented 1 year ago

Context: secrets etc are stored in K8s and were created ad hoc, without supporting documentation. This directly impact maintenance of VRO; it would be challenging to rotate credentials in the current state, for example. LHDI is in process of providing HashiCorp Vault, which would provide a solution to manage credentials in a shared vault.

yoomlam commented 1 year ago

Notes from meeting with LHDI:

yoomlam commented 1 year ago

Need to test non-dev images. Blocked by SecRel-alerts.

yoomlam commented 1 year ago

VRO deployed to prod-test successfully.