[P1BIGROCKS-2003](https://jira.il2.dso.mil/browse/P1BIGROCKS-2003) # Vault Overview ## Conops Vault is planned to be used to provide these services ### Gitlab Pipelines As gitlab pipelines run, rather than providing credentials in gitlab for the pipeline to use, the gitlab jobs will load secrets from vault at startup time. * Twistlock * Anchore * Fortify * Sonarqube ### Air Gap KMS alternative * In airgap environments, KMS or cloud based encryption services may not be available for SOPS. This provides a consistent tool for encryption/decryption and key management ## Helm Chart - Upstream (v0.12.0): https://github.com/hashicorp/vault-helm - CNAP Used (v0.8.0): https://repo1.dso.mil/platform-one/private/cnap/vault-deployment/-/blob/master/chart/Chart.yaml Values used by CNAP here: https://repo1.dso.mil/platform-one/private/cnap/vault-deployment/-/blob/master/env/prod/patch-values.yaml#L28 ## Iron Bank Images - [k8s-vault version 0.10.1](https://registry1.dso.mil/harbor/projects/3/repositories/hashicorp%2Fvault%2Fvault-k8s) - [vault version 1.7.2](https://registry1.dso.mil/harbor/projects/3/repositories/hashicorp%2Fvault%2Fvault) - [Enterprise Vault](https://registry1.dso.mil/harbor/projects/3/repositories/hashicorp%2Fsecure-secrets-management%2Fvault-enterprise) ## Acceptance Criteria - [x] Deploy a healthy vault - [x] @gabe.scarberry what other requirements do we need for base vault? - [x] deploy with a HashiCorp "officially supported" storage backend - [ ] evaluate / document storage integration concerns with Big Bang - [x] Document how to deploy vault **safely** (define) - [x] how the root token will be used during initialization / initial configuration - [ ] how the root token will be revoked and the recovery process - [ ] Use Vault for SOPS encryption for Bigbang Deployment - [x] Document how to provide Vault credentials to Flux for decrypting sops ## Phase 2 (after &116 ) - Moved to separate epic (&210)