InfraBox icon indicating copy to clipboard operation
InfraBox copied to clipboard

Published 20 hours ago verified publisher icon SAP

Support external secret providers such as Vault

Open westenb opened this issue 6 years ago • 2 comments

Hi,

In many scenarios, infrabox jobs require configuration involving credentials. Infrabox provides a mechanism via secrets ([1]) which can be centrally maintained. Also some local support is available ([2]).

However, it would be really convenient to connect Infrabox to a central secure store such as Hashicorp Vault (https://www.vaultproject.io/), which is providing rich access control, auditing and general management capabilies.

One possible compatible approach could be to leverage the existing Infrabox notion

"MY_SECRET_DB_PASSWORD": { "$secret": "SECRET_NAME" },

where SECRET_NAME could be then e.g. of the form secret/db/password returning the value of the key password in the Vault secret secret/db.

The Vault configuration could be supported on Infrabox instance and Infrabox project level. For local support, it would be nice to also have support for configuration a secrets provider as an alternative to the infraboxsecerets file.

Regards, Eric

[1] https://github.com/SAP/InfraBox-examples/tree/master/secrets [2] https://github.com/SAP/InfraBox-cli#secrets

westenb avatar Feb 14 '19 12:02 westenb

It would also be super to have Kubernetes secrets passed through. This would be especially useful for things like registry authentication, where we don't necessarily want to have to set each service account secret manually on each project.

jerr0328 avatar Mar 19 '19 13:03 jerr0328

Having looked a bit at the code, I think this would be a pretty sizable project, as most of the secrets-handling is expecting to look up based on the $secret key the variable name in the database. I'd expect a compatible solution to likely have something like $vault or $k8s-secret with the value passed to a secrets provider/handler for processing. This would certainly get complicated (e.g. does each project have to have some configuration for a secrets engine or is it global to the installation? Is there extra configuration passed within the Infrabox json to specify a namespace?), but I still think it would be incredibly valuable. I might look into this for Hacktoberfest if this is still open by then.

jerr0328 avatar May 17 '19 13:05 jerr0328