Open techcobweb opened 6 months ago
I had a discussion with @Tom-Slattery today, and ran this outline plan past him, to which he said that it fitted well with the direction he was going to have to take with secrets management in the future.
This is the source for the diagram in the description.
https://thenewstack.io/meet-openbao-an-open-source-fork-of-hashicorp-vault/ Is very interesting.
It's a new project based on a 2023 branch of Hashicorp vault. https://github.com/openbao/openbao/tags
If it matures a bit more, we should be using that for secret storage rather than the etcd back-end we currently use.
Story
As an installer of galasa, I want to configure my ecosystem to draw secrets from a remote centralised secrets manager, so that I know the secrets are being stored and organised in a way consistent with my mandated security policies.
Contents
Background
Current solution
CredentialsStoreService
Proposed solution
We need to do this:
ie:
Why we chose IBM Cloud secrets manager
How the connector could work
The IBM cloud secrets manager supports a 'group' or 'namespace' of secrets, which can have different ACSs assigned for each user ID... so if the secrets manager instance is used for many things, all the secrets which Galasa testcases need could be put into the same 'group', and the access token used by Galasa can be restricted to only be able to read from that group.
To set this configuration up, someone with admin rights is going to need to create a kubernetes secret
secrets_manager_access_token
. This should be an external secret which is also drawn from the same external secrets manager (though it could be in a separate group/namespace), as this secret is for galasa to use, not individual test cases.Some configuration will be needed by the connector also, some of which needs to be stored in kubernetes secrets, and supplied to the connector code at runtime.
To reset the seed secret
When there is a secrets connector
When there isn't a secrets connector
Reasons why test pods do not get secrets on demand direct from the IBM cloud secret store
The IBM cloud secret store is limited to 20 calls per second. With 100 testcases trying to get 5 secrets each, that could add up to 500 calls to the secret store. The service doesn't have a hard-stop, but delays calls if the call rate is greater than 20. But it would still take 25 seconds for those tests to get all those secrets. There are also limits on the number of concurrent accesses from unique clients. Which itself rules out on-demand access. The docs also state that it is a cold-storage for secrets. See the documentation for more details.
This is exacerbated by the fact that each pod would have to get IBM Cloud IAM credentials by logging in... another process which will take some time.
Conclusion: We need to draw the secrets out of the secret store and cache them, sharing them via etcd, which is built for clustered parallel access.
REST interface
GET /secrets - lists the secrets available GET /secrets?name=xxx - gets the definition of the secret, with the value POST /secrets/name - creates a new secret PUT /secrets/name - updates an existing secret DELETE /secrets/name - deletes a secret
POST /resources - Allows a secret resource to be created/updated/deleted.
A secret looks like this:
or
or
or
Limiting who can get what secret information
We don't have Role-based access implemented yet. When we do we can limit who can see which secrets. ie: The GET data could be refused unless you have secret reading permissions in your role.
So until that point, everyone can see all the secret values.
Observations
Tasks
Improve the existing credentials solution
galasactl
program can set a secret + valuegalasactl
program can get a secret + valueThe helm chart needs to be set up with values which control the connector to IBM secrets manager.