Vault¶
OpeNgine uses HashiCorp Vault integrated with KMS services for respective cloud platform (Google Cloud KMS, Azure Key Vault and AWS KMS). There are also options for secrets storage back-end:
platform-specific blob storage
Secrets management solution is in use by OpeNgine components, and, at the same time, is available for applications deployed to the OpeNgine environment.
In the OpeNgine configuration file environment/vars.yml
all vault settings are defined as single vault:
block containing multiple sub-sections - one sub-section per cluster. Please note: each cluster can optionally have it’s own vault setup. OpeNgine doesn’t share secrets between clusters e.g. cluster “A” never communicates to cluster “B” instance of vault.
For all supported cloud platforms, vault configuration has the same high-level structure:
vault:
cluster-identifier-1:
account_name: "vault-account"
backend:
...
seal:
...
helm:
repo:
name: "vault"
url: "http://storage.googleapis.com/kubernetes-charts-incubator"
chart:
app_name: "opengine-vault"
name: "vault"
version: "0.16.1"
appVersion: "1.0.0"
replicaCount: 3
timeout: 300
...
cluster-identifier-N:
account_name: "vault-account"
backend:
...
seal:
...
helm:
repo:
name: "vault"
url: "http://storage.googleapis.com/kubernetes-charts-incubator"
chart:
app_name: "opengine-vault"
name: "vault"
version: "0.16.1"
appVersion: "1.0.0"
replicaCount: 3
timeout: 300
Element |
Description |
---|---|
|
Parent element of vault configuration, contains list clusters to be configured. |
|
Kubernetes cluster identifier(s). Groups vault settings. OpeNgine will install and configure HashiCorp Vault on cluster(s) using these identifiers. |
|
OpeNgine will provision this account in Kubernetes and will run HashiCorp Vault](https://www.vaultproject.io/) using this account. |
|
Parent element of storage back-end configuration, can contain platform-specific blob storage configuration or Consul configuration. |
|
Parent element of seal (KMS) configuration, these settings are always platform-specific. |
|
Parent element containing Helm chart details. Allows to control which version is installed and from which repository. |
|
Chart name and repository location. |
|
List of settings including: application version, chart version, appication name etc. |
Using Consul as Back-end¶
Consul storage back-end configuration schema is the same for any supported cloud platform:
vault:
the-first-cluster:
...
backend:
type: provision-consul
helm:
repo:
name: "consul"
url: "https://kubernetes-charts.storage.googleapis.com/"
chart:
app_name: "opengine-consul"
name: "consul"
version: "3.6.0"
appVersion: "1.4.4"
replicaCount: 3
...
...
Element |
Description |
---|---|
|
The type of the back-end, should be == |
|
Parent element containing Helm chart details. Allows to control which version is installed and from which repository. |
|
Chart name and repository location. |
|
List of settings including: application version, chart version, appication name etc. |
Vault Configuration for GCP¶
On Google cloud OpeNgine uses Google Cloud KMS as seal for HashiCorp Vault. The following example will be used to illustrate configuration schema with GCP-specific storage back-end:
vault:
...
the-second-cluster:
account_name: "vault-account"
backend:
type: provision-gcs
location: "US"
seal:
type: gcp-provision-kms
key_ring_name: second-cluster-key-ring
key_ring_region: us-central1
crypto_key_name: second-cluster-key
...
Element |
Description |
---|---|
|
The type of the back-end, should be == |
|
Location for Google Cloud Storage Bucket. OpeNgine will create new bucket at configured location. The name of the bucket is assigned by OpeNgine automatically using the following template |
|
The type of the seal, should be == |
|
GCP-specific settings: name of the KMS key ring, its location and name of the key to be created by OpeNgine. |
Vault Configuration for Azure¶
On Azure cloud OpeNgine uses Azure Key Vault as seal for HashiCorp Vault. The following example will be used to illustrate configuration schema with Azure-specific storage back-end:
vault:
...
the-second-cluster:
account_name: "vault-account"
backend:
type: provision-azurestorage
seal:
type: azurerm-provision-kms
resource_group_name: the-second-cluster-rg
key_vault_name: the-second-cluster-kv
crypto_key_name: the-second-cluster-key01
crypto_key_name: the-second-cluster-key02
...
Element |
Description |
---|---|
|
The type of the back-end, should be == |
|
The type of the seal, should be == |
|
Target resource group for Key Vault resource. |
|
Name of the Key Vault resource. |
|
Names of 2 keys to be created. |
Vault Configuration for AWS¶
On Amazon cloud OpeNgine uses AWS KMS as seal for HashiCorp Vault. The following example will be used to illustrate configuration schema with AWS-specific storage back-end:
vault:
...
the-second-cluster:
account_name: "vault-account"
backend:
type: provision-s3
seal:
type: aws-provision-kms
region: us-east-1
...
Element |
Description |
---|---|
|
The type of the back-end, should be == |
|
The type of the seal, should be == |
|
Region of the AWS KMS keys. |