Provide Vault Backend for Access Control

[blaggacao]

Vault (Hashicorp) besides for it's multiple other use cases in the rancher ecosystem, could be elegantly included as a Access Control Backend.

Vault, in turn, also supports, among other backends, LDAP, github and user/pwd, and I'm sure Active Directory is just a yard away, but comes with the additional benefit of:

• Access Auditing
• Break Glass Strategy

It possibly can be used to even replace/offload backend maintenance efforts to the vault project, if that would come in handy. /cc @will-chan : yet another use case.

https://vaultproject.io/docs/auth/github.html https://vaultproject.io/docs/auth/ldap.html https://vaultproject.io/docs/auth/userpass.html

[raphink]

For the record, confd now supports Vault. Since rancher provides a confd-compatible metadata API, this makes it all the more interesting now to mix values from rancher-metadata and vault.

[blaggacao]

@deniseschannon Would https://github.com/rancher/rancher/releases/tag/v1.1.0-dev2 close this? Or is the scope of the vault catalogue entry a less tight integration? Havn't had time to inspect it in detail...

[janeczku]

@blaggacao The Vault integration added to the Catalog authenticates containers and provisions them with Vault access credentials.

[blaggacao]

OK, thanks. Let's keep this open then...

[deniseschannon]

With the release of Rancher 2.0, development on v1.6 is only limited to critical bug fixes and security patches.