Vault

OpeNgine uses HashiCorp Vault integrated with KMS services for respective cloud platform (Google Cloud KMS, Azure Key Vault and AWS KMS). There are also options for secrets storage back-end:

  • platform-specific blob storage

  • Consul.

Secrets management solution is in use by OpeNgine components, and, at the same time, is available for applications deployed to the OpeNgine environment.

In the OpeNgine configuration file environment/vars.yml all vault settings are defined as single vault: block containing multiple sub-sections - one sub-section per cluster. Please note: each cluster can optionally have it’s own vault setup. OpeNgine doesn’t share secrets between clusters e.g. cluster “A” never communicates to cluster “B” instance of vault.

For all supported cloud platforms, vault configuration has the same high-level structure:

vault:
  cluster-identifier-1:
    account_name: "vault-account"
    backend:
      ...
    seal:
      ...
    helm:
      repo:
        name: "vault"
        url: "http://storage.googleapis.com/kubernetes-charts-incubator"
      chart:
        app_name: "opengine-vault"
        name: "vault"
        version: "0.16.1"
        appVersion: "1.0.0"
        replicaCount: 3
        timeout: 300
  ...
  cluster-identifier-N:
    account_name: "vault-account"
    backend:
      ...
    seal:
      ...
    helm:
      repo:
        name: "vault"
        url: "http://storage.googleapis.com/kubernetes-charts-incubator"
      chart:
        app_name: "opengine-vault"
        name: "vault"
        version: "0.16.1"
        appVersion: "1.0.0"
        replicaCount: 3
        timeout: 300

Element

Description

vault

Parent element of vault configuration, contains list clusters to be configured.

cluster-identifier-1cluster-identifier-N

Kubernetes cluster identifier(s). Groups vault settings. OpeNgine will install and configure HashiCorp Vault on cluster(s) using these identifiers.

account_name

OpeNgine will provision this account in Kubernetes and will run HashiCorp Vault](https://www.vaultproject.io/) using this account.

backend

Parent element of storage back-end configuration, can contain platform-specific blob storage configuration or Consul configuration.

seal

Parent element of seal (KMS) configuration, these settings are always platform-specific.

helm

Parent element containing Helm chart details. Allows to control which version is installed and from which repository.

helm.repo.name and helm.repo.url

Chart name and repository location.

helm.chart

List of settings including: application version, chart version, appication name etc.

Using Consul as Back-end

Consul storage back-end configuration schema is the same for any supported cloud platform:

vault:
  the-first-cluster:
    ...
    backend:
      type: provision-consul
      helm:
        repo:
          name: "consul"
          url: "https://kubernetes-charts.storage.googleapis.com/"
        chart:
          app_name: "opengine-consul"
          name: "consul"
          version: "3.6.0"
          appVersion: "1.4.4"
          replicaCount: 3
    ...
  ...

Element

Description

type

The type of the back-end, should be == provision-consul.

helm

Parent element containing Helm chart details. Allows to control which version is installed and from which repository.

helm.repo.name and helm.repo.url

Chart name and repository location.

helm.chart

List of settings including: application version, chart version, appication name etc.

Vault Configuration for GCP

On Google cloud OpeNgine uses Google Cloud KMS as seal for HashiCorp Vault. The following example will be used to illustrate configuration schema with GCP-specific storage back-end:

vault:
  ...
  the-second-cluster:
    account_name: "vault-account"
    backend:
      type: provision-gcs
      location: "US"
    seal:
      type: gcp-provision-kms
      key_ring_name: second-cluster-key-ring
      key_ring_region: us-central1
      crypto_key_name: second-cluster-key
    ...

Element

Description

backend.type

The type of the back-end, should be == provision-gcs.

backend.location

Location for Google Cloud Storage Bucket. OpeNgine will create new bucket at configured location. The name of the bucket is assigned by OpeNgine automatically using the following template {{ environment name }}-vault-store-{{ cluster identifier }}

seal.type

The type of the seal, should be == gcp-provision-kms for GCP. OpeNgine will create new key ring and key in Google KMS.

seal.key_ring_name, seal.key_ring_region, seal.crypto_key_name

GCP-specific settings: name of the KMS key ring, its location and name of the key to be created by OpeNgine.

Vault Configuration for Azure

On Azure cloud OpeNgine uses Azure Key Vault as seal for HashiCorp Vault. The following example will be used to illustrate configuration schema with Azure-specific storage back-end:

vault:
  ...
  the-second-cluster:
    account_name: "vault-account"
    backend:
      type: provision-azurestorage
    seal:
      type: azurerm-provision-kms
      resource_group_name: the-second-cluster-rg
      key_vault_name: the-second-cluster-kv
      crypto_key_name: the-second-cluster-key01
      crypto_key_name: the-second-cluster-key02
    ...

Element

Description

backend.type

The type of the back-end, should be == provision-azurestorage.

seal.type

The type of the seal, should be == azurerm-provision-kms for Azure. OpeNgine will create new Key Vault and key.

seal.resource_group_name

Target resource group for Key Vault resource.

seal.key_vault_name

Name of the Key Vault resource.

seal.crypto_key_name

Names of 2 keys to be created.

Vault Configuration for AWS

On Amazon cloud OpeNgine uses AWS KMS as seal for HashiCorp Vault. The following example will be used to illustrate configuration schema with AWS-specific storage back-end:

vault:
  ...
  the-second-cluster:
    account_name: "vault-account"
    backend:
      type: provision-s3
    seal:
      type: aws-provision-kms
      region: us-east-1
    ...

Element

Description

backend.type

The type of the back-end, should be == provision-s3.

seal.type

The type of the seal, should be == aws-provision-kms for AWS.

seal.region

Region of the AWS KMS keys.