Open costrouc opened 1 year ago
I agree that Vault provides a suite of additional features and benefits over SOPS. As I mentioned elsewhere, Vault is to secret management what Keycloak is to user management, a professional tool.
If we're going to spend the time implementing one or the other, I would be in favor of implementing Vault.
So I like the end user experience of naas.ai
Add Secret Keys
Copy in production any secret key :
naas.secret.add(name="API_NAME", secret="API_KEY")
Remove the previous line and get your secret key with :
naas.secret.get(name="MY_API_KEY")
This allows you to push your notebook in production without sensitive data getting exposed.
No idea how it is implemented/
@costrouc Are we moving into this direction yet?
Vault for Deployment and Dynamic User Secrets
Summary
Have spent around 2 days familiarizing myself with Vault and trying it out by using Hashicorp's managed vault deployment. We have the features that we would need to allow:
User benefit
There are two users I have in mind this this proposal end users e.g. regular users/developers on Nebari and devops/it sysadmins managing the deployment of Nebari. This proposal would satisfy both of these.
Design Proposal
Implementation
Notice user does not have to store/remember any secrets!
How would we configure vault:
users/<username>/*
andgroup/<group>/*
to write arbitrary secretsKubernetes service accounts are at the heart of this. Would would assign identities to users/services via attaching a service account e.g.
<namespace>/service-<service-name>
or<namespace>/user-<username>
Alternatives or approaches considered (if any)
There is currently a proposal for using SOPS for secret management https://github.com/nebari-dev/governance/issues/29.
Best practices
User impact
Unresolved questions
Do we use separate namespaces for users?