Vault¶

OpeNgine uses HashiCorp Vault integrated with KMS services for respective cloud platform (Google Cloud KMS, Azure Key Vault and AWS KMS). There are also options for secrets storage back-end:

platform-specific blob storage
Consul.

Secrets management solution is in use by OpeNgine components, and, at the same time, is available for applications deployed to the OpeNgine environment.

In the OpeNgine configuration file environment/vars.yml all vault settings are defined as single vault: block containing multiple sub-sections - one sub-section per cluster. Please note: each cluster can optionally have it’s own vault setup. OpeNgine doesn’t share secrets between clusters e.g. cluster “A” never communicates to cluster “B” instance of vault.

For all supported cloud platforms, vault configuration has the same high-level structure:

vault:
  cluster-identifier-1:
    account_name: "vault-account"
    backend:
      ...
    seal:
      ...
    helm:
      repo:
        name: "vault"
        url: "http://storage.googleapis.com/kubernetes-charts-incubator"
      chart:
        app_name: "opengine-vault"
        name: "vault"
        version: "0.16.1"
        appVersion: "1.0.0"
        replicaCount: 3
        timeout: 300
  ...
  cluster-identifier-N:
    account_name: "vault-account"
    backend:
      ...
    seal:
      ...
    helm:
      repo:
        name: "vault"
        url: "http://storage.googleapis.com/kubernetes-charts-incubator"
      chart:
        app_name: "opengine-vault"
        name: "vault"
        version: "0.16.1"
        appVersion: "1.0.0"
        replicaCount: 3
        timeout: 300

Element	Description
`vault`	Parent element of vault configuration, contains list clusters to be configured.
`cluster-identifier-1` … `cluster-identifier-N`	Kubernetes cluster identifier(s). Groups vault settings. OpeNgine will install and configure HashiCorp Vault on cluster(s) using these identifiers.
`account_name`	OpeNgine will provision this account in Kubernetes and will run HashiCorp Vault](https://www.vaultproject.io/) using this account.
`backend`	Parent element of storage back-end configuration, can contain platform-specific blob storage configuration or Consul configuration.
`seal`	Parent element of seal (KMS) configuration, these settings are always platform-specific.
`helm`	Parent element containing Helm chart details. Allows to control which version is installed and from which repository.
`helm`.`repo`.`name` and `helm`.`repo`.`url`	Chart name and repository location.
`helm`.`chart`	List of settings including: application version, chart version, appication name etc.

Using Consul as Back-end¶

Consul storage back-end configuration schema is the same for any supported cloud platform:

vault:
  the-first-cluster:
    ...
    backend:
      type: provision-consul
      helm:
        repo:
          name: "consul"
          url: "https://kubernetes-charts.storage.googleapis.com/"
        chart:
          app_name: "opengine-consul"
          name: "consul"
          version: "3.6.0"
          appVersion: "1.4.4"
          replicaCount: 3
    ...
  ...

Element	Description
`type`	The type of the back-end, should be == `provision-consul`.
`helm`	Parent element containing Helm chart details. Allows to control which version is installed and from which repository.
`helm`.`repo`.`name` and `helm`.`repo`.`url`	Chart name and repository location.
`helm`.`chart`	List of settings including: application version, chart version, appication name etc.

Vault Configuration for GCP¶

On Google cloud OpeNgine uses Google Cloud KMS as seal for HashiCorp Vault. The following example will be used to illustrate configuration schema with GCP-specific storage back-end:

vault:
  ...
  the-second-cluster:
    account_name: "vault-account"
    backend:
      type: provision-gcs
      location: "US"
    seal:
      type: gcp-provision-kms
      key_ring_name: second-cluster-key-ring
      key_ring_region: us-central1
      crypto_key_name: second-cluster-key
    ...

Element	Description
`backend`.`type`	The type of the back-end, should be == `provision-gcs`.
`backend`.`location`	Location for Google Cloud Storage Bucket. OpeNgine will create new bucket at configured location. The name of the bucket is assigned by OpeNgine automatically using the following template `{{ environment name }}-vault-store-{{ cluster identifier }}`
`seal`.`type`	The type of the seal, should be == `gcp-provision-kms` for GCP. OpeNgine will create new key ring and key in Google KMS.
`seal`.`key_ring_name`, `seal`.`key_ring_region`, `seal`.`crypto_key_name`	GCP-specific settings: name of the KMS key ring, its location and name of the key to be created by OpeNgine.

Vault Configuration for Azure¶

On Azure cloud OpeNgine uses Azure Key Vault as seal for HashiCorp Vault. The following example will be used to illustrate configuration schema with Azure-specific storage back-end:

vault:
  ...
  the-second-cluster:
    account_name: "vault-account"
    backend:
      type: provision-azurestorage
    seal:
      type: azurerm-provision-kms
      resource_group_name: the-second-cluster-rg
      key_vault_name: the-second-cluster-kv
      crypto_key_name: the-second-cluster-key01
      crypto_key_name: the-second-cluster-key02
    ...

Element	Description
`backend`.`type`	The type of the back-end, should be == `provision-azurestorage`.
`seal`.`type`	The type of the seal, should be == `azurerm-provision-kms` for Azure. OpeNgine will create new Key Vault and key.
`seal`.`resource_group_name`	Target resource group for Key Vault resource.
`seal`.`key_vault_name`	Name of the Key Vault resource.
`seal`.`crypto_key_name`	Names of 2 keys to be created.

Vault Configuration for AWS¶

On Amazon cloud OpeNgine uses AWS KMS as seal for HashiCorp Vault. The following example will be used to illustrate configuration schema with AWS-specific storage back-end:

vault:
  ...
  the-second-cluster:
    account_name: "vault-account"
    backend:
      type: provision-s3
    seal:
      type: aws-provision-kms
      region: us-east-1
    ...

Element	Description
`backend`.`type`	The type of the back-end, should be == `provision-s3`.
`seal`.`type`	The type of the seal, should be == `aws-provision-kms` for AWS.
`seal`.`region`	Region of the AWS KMS keys.