mitodl / ol-infrastructure

Infrastructure automation code for use by MIT Open Learning

BSD 3-Clause "New" or "Revised" License

46 stars 4 forks source link

Create a Vault resource definition for Concourse #1500

Closed blarghmatey closed 1 year ago

blarghmatey commented 1 year ago

User Story

As a platform engineer/pipeline author I would like to be able to access secrets from dynamic backends as well as arbitrary static paths

Description/Context

We make heavy use of dynamic credentials in our infrastructure. As a result this leaks into some of our pipeline definitions that we would like to write/maintain.

Acceptance Criteria

[x] I can retrieve a dynamic credential from Vault within a Concourse pipeline
[x] I can retrieve a static credential from Vault within a Concourse pipeline
[ ] I can trigger a pipeline run when a dynamic credential lease is about to expire

blarghmatey commented 1 year ago

The current priority secrets engines that we rely on are:

database
AWS IAM
kv
kv-v2

blarghmatey commented 1 year ago

An example interface that might work for specifying the config for the resource could look like:

vault-resource:
  source:
    db_creds: postres-mitxonline/creds/readonly
    static_kv: secret/path/to/secret

And those then write the response to a local YAML/JSON file that is set as an output and readable as inputs for downstream tasks to populate as a var source with the file named according to the key (e.g. db_creds.yaml)

If those can automatically create a var in the pipeline with the var named according to the key that would also be helpful.

blarghmatey commented 1 year ago

Docs about dynamic vars and var sources are at https://concourse-ci.org/vars.html#dynamic-vars