P1BIGROCKS-2003

Vault Overview

Conops

Vault is planned to be used to provide these services

Gitlab Pipelines

As gitlab pipelines run, rather than providing credentials in gitlab for the pipeline to use, the gitlab jobs will load secrets from vault at startup time.

• Twistlock
• Anchore
• Fortify
• Sonarqube

Air Gap KMS alternative

• In airgap environments, KMS or cloud based encryption services may not be available for SOPS. This provides a consistent tool for encryption/decryption and key management

Helm Chart

• Upstream (v0.12.0): https://github.com/hashicorp/vault-helm
• CNAP Used (v0.8.0): https://repo1.dso.mil/platform-one/private/cnap/vault-deployment/-/blob/master/chart/Chart.yaml

Values used by CNAP here: https://repo1.dso.mil/platform-one/private/cnap/vault-deployment/-/blob/master/env/prod/patch-values.yaml#L28

Iron Bank Images

• k8s-vault version 0.10.1
• vault version 1.7.2
• Enterprise Vault

Acceptance Criteria

• Deploy a healthy vault
  • @gabe.scarberry what other requirements do we need for base vault?
  • deploy with a HashiCorp "officially supported" storage backend
  • evaluate / document storage integration concerns with Big Bang
• Document how to deploy vault safely (define)
  • how the root token will be used during initialization / initial configuration
  • how the root token will be revoked and the recovery process
• Use Vault for SOPS encryption for Bigbang Deployment
• Document how to provide Vault credentials to Flux for decrypting sops

Phase 2 (after &116 (closed) )

• Moved to separate epic (&210 (closed))