Implement Vaults

[andrewsignori-aot]

As a Ministry Security Officer, I would like secrets to be stored and controlled using Hashicorp Vault.

Prerequisite Creation of vault secrets and implementation must occur in same sprint

• [ ] Technical lead to create secrets in Vault (Stephen can assist in automation if wanted)
  • [ ] Creation of namespace-nonprod/envs/[dev/test]/common
  • [ ] Creation of namespace-prod/envs/[staging/prod]/common
  • [ ] Creation of namespace-nonprod/envs/[dev/test]/web
  • [ ] Creation of namespace-prod/envs/[staging/prod]/web
  • [ ] Creation of namespace-nonprod/envs/[dev/test]/api
  • [ ] Creation of namespace-prod/envs/[staging/prod]/api
  • [ ] Creation of namespace-nonprod/envs/[dev/test]/forms
  • [ ] Creation of namespace-prod/envs/[staging/prod]/forms
  • [ ] Creation of namespace-nonprod/envs/[dev/test]/queue-consumers
  • [ ] Creation of namespace-prod/envs/[staging/prod]/queue-consumers
  • [ ] Creation of namespace-nonprod/envs/[dev/test]/workers
  • [ ] Creation of namespace-prod/envs/[staging/prod]/workers
  • [ ] Creation of namespace-nonprod/envs/[dev/test]/edw-api
  • [ ] Creation of namespace-prod/envs/[staging/prod]/edw-api
• [ ] Discuss Infrastructre items: Crunchy, Redis, hamongo and either remove from scope or create new tickets

Acceptance Criteria

• [ ] Inject common and specific vault secret into each DC mapped at /vault/secrets/secrets.txt
• [ ] Path and filename should be configurable (configmap or .env file) for secrets.txt
• [ ] On App startup code should read secrets.txt into memory and then delete it
• [ ] Code should reference secrets/configuration/environment from common mechanism
• [ ] Remove mapped secrets and environment variables from Deployment Configs
• [ ] Remove secrets from GH
• [ ] Exclude Infrastructure items: Crunchy, Redis, hamongo for this ticket
• [ ] Confirm that no secrets are on disk or in environment variables once pod has fully started

Technical Context

Insert the following yaml into the spec/strategy/template/metadata Replace ${license-plate}, ${prod or nonprod} and secret1/2 with the real values

annotations:
    vault.hashicorp.com/agent-inject-secret-secrets.txt: '${license-plate}-${prod or nonprod}/secret1,${license-plate}-${prod or nonprod}/secret2
    vault.hashicorp.com/namespace: platform-services
    vault.hashicorp.com/role: ${license-plate}-${prod or nonprod}
    vault.hashicorp.com/agent-pre-populate-only: 'true'
    vault.hashicorp.com/agent-inject: 'true'
    vault.hashicorp.com/agent-inject-template-secrets.txt: |
      {{- with secret "${license-plate}-${prod or nonprod}/secret1" -}}
      {{- range $key, $value := .Data.data -}}
      export {{ $key }}="{{ $value }}"{{ "\n" }}
      {{- end -}}
      {{- end -}}
      {{- with secret "${license-plate}-${prod or nonprod}/secret2" -}}
      {{- range $key, $value := .Data.data -}}
      export {{ $key }}="{{ $value }}"{{ "\n" }}
      {{- end -}}
      {{- end -}}   

Add user into spec/strategy/template/spec

serviceAccount: ${license-play}-vault

App reads configurable /vault/secrets/secrets.txt if present App deletes /vault/secrets/secrets.txt if present

[cditcher]

Determined that this is a requirement. Will prioritize devops.

[sslaws]

I'd like to discuss the priority on this... I've put it in 2x

[sslaws]

Reminder to Stephen to follow up with Nick C regarding local OpenShift secret encryption.

[ninosamson]

Placing "on hold" pending decision, but deferring to post launch.

[sslaws]

@ninosamson to confirm priority and need.

[sslaws]

@ninosamson to confirm priority and need.

[ninosamson]

Deferring to future - pending decision from MISO.