nebari-dev / governance

✨ Governance-related work for Nebari-dev
BSD 3-Clause "New" or "Revised" License
0 stars 2 forks source link

RFD - Vault for Deployment and Dynamic User Secrets #32

Closed costrouc closed 2 weeks ago

costrouc commented 1 year ago
Status Open for comments 💬
Author(s) costrouc
Date Created 14-02-2022
Date Last updated 14-02-2022
Decision deadline 14-02-2022

Vault for Deployment and Dynamic User Secrets

Summary

Have spent around 2 days familiarizing myself with Vault and trying it out by using Hashicorp's managed vault deployment. We have the features that we would need to allow:

User benefit

There are two users I have in mind this this proposal end users e.g. regular users/developers on Nebari and devops/it sysadmins managing the deployment of Nebari. This proposal would satisfy both of these.

Design Proposal

Implementation

Notice user does not have to store/remember any secrets!

How would we configure vault:

# patch-basic-annotations.yaml
spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-secret-helloworld: "secrets/helloworld"
        vault.hashicorp.com/role: "myapp"

Kubernetes service accounts are at the heart of this. Would would assign identities to users/services via attaching a service account e.g. <namespace>/service-<service-name> or <namespace>/user-<username>

Alternatives or approaches considered (if any)

There is currently a proposal for using SOPS for secret management https://github.com/nebari-dev/governance/issues/29.

Best practices

User impact

Unresolved questions

Do we use separate namespaces for users?

iameskild commented 1 year ago

I agree that Vault provides a suite of additional features and benefits over SOPS. As I mentioned elsewhere, Vault is to secret management what Keycloak is to user management, a professional tool.

If we're going to spend the time implementing one or the other, I would be in favor of implementing Vault.

dharhas commented 1 year ago

So I like the end user experience of naas.ai

see: https://docs.naas.ai/

Add Secret Keys

Copy in production any secret key :

naas.secret.add(name="API_NAME", secret="API_KEY")

Remove the previous line and get your secret key with :

naas.secret.get(name="MY_API_KEY")

This allows you to push your notebook in production without sensitive data getting exposed.

No idea how it is implemented/

viniciusdc commented 1 year ago

@costrouc Are we moving into this direction yet?

Adam-D-Lewis commented 2 weeks ago

I'm cleaning up the RFD's and I'm going to close this for now due to no activity, but feel free to re-open if needed!