hush-house icon indicating copy to clipboard operation
hush-house copied to clipboard

Published 20 hours ago verified publisher icon concourse

hh: per-team credential management

Open cirocosta opened this issue 5 years ago • 2 comments

Hey,

With the intent of letting teams manage their credentials, whenever a new team is on board, we could create a namespace for that team, which ATC could then use for credential retrieval.

This would make hush-house more compelling than Wings as this would allow teams to not have their credentials in plain-text in their pipelines.

As I see, the whole flow would look like:

  1. team signs up for participating in hush-house
  2. a new team configuration is created under hush-house/teams
  3. a namespace is created for that team to add secrets to
  4. a service account that has permissions just to create/read/update/delete secrets in that namespace is created
  5. access to that service account is granted somehow

Internally, this would have the following effect:


                  person from team_a
                        |
                        |
 k8s cluster -----------+----------------------------------
 |                      |
 |                      | (auth w/ serviceaccount that has access
 |                      |  to `team_a namespace`)
 |                      |
 |    team_a namespace -+----------------------------------
 |    |                 |
 |    |                 |
 |    |                 *------CREATE_SECRET (mysecret)
 |    |                              |
 |    |                              |
 |    |                            mysecret
 |    |                              ^
 |    |                              |
 |    |                              GET_SECRET
 |    |                              |
 |    *------------------------------+----------------------
 |                                   |
 |                                   |
 |    hush-house namespace ----------+----------------------
 |    |                              |  
 |    |                              |   (access to all team namespaces)
 |    |                              |
 |    |             ATC ---get_cred--*
 |    | 
 |    *-----------------------------------------------------

Acceptance Criteria

  • [ ] have the current teams that we already have (see https://github.com/concourse/hush-house/tree/master/deployments/with-creds/hush-house/teams) with their own secrets namespaces, and
  • [ ] have a way for the users from those teams to set secrets in those namespaces.
  • [ ] ensure that Concourse is able to consume the secrets set in those namespaces.

Thanks!

cirocosta avatar Apr 26 '19 17:04 cirocosta

Unfortunately, with GKE we're not able to configure the OIDC authn provider - there's a feature request in their issue tracker https://issuetracker.google.com/issues/115687670 , but it's not there yet 😞

See https://github.com/dexidp/dex/issues/1268#issuecomment-416874109 for response from the Dex side.

cirocosta avatar May 03 '19 19:05 cirocosta

@cirocosta It's time to return to this task. GKE allow external oidc provider now.

ezhiryakov avatar Feb 11 '22 08:02 ezhiryakov