search

projectsyn / documentation

The Project Syn main documentation repository
https://docs.syn.tools/
BSD 3-Clause "New" or "Revised" License
6 stars 3 forks source link

Document Vault Structure #87

Open srueg opened 3 years ago

srueg commented 3 years ago

Context

The current Vault structure enforces the <tenant-id>/<cluster-id>/ structure. Nothing more is enforced or recommended. We should document the best practices around secrets in Vault and how to structure them. Some inputs:

Alternatives

Implement more secrets generation via Lieutenant-operator which would enforce certain structures.

corvus-ch commented 3 years ago

Use as less key-value pairs per secret as possible (it's not possible to update only single key-value pairs)

There is vault kv patch that can do that.

corvus-ch commented 3 years ago

So far, we assumed secretes to be defined on the cluster level. However, some secrets might be better put on the level of a tenant and shared between all clusters of that tenant.

Would it also makes sens to have globally defined secretes? Maybe but this certainly needs security considerations.