Page MenuHomeDevCentral
Create Task
Maniphest T2040

Supersede Vault by OpenBao
Open, NormalPublic
Actions

Description

Per T1938, I'd like to propose to supersede Vault by OpenBao.

Plan would be:

  • deploy OpenBao on Complector
  • export the Vault secrets from ops/ and apps/ kv2 store with Medusa
  • import the kv2 secrets to OpenBao with Medusa
  • recreate PKI

Open questions:

  • do we need the web UI? Lot of deployments run without, OpenBao 2.0.1 doesn't ship with (*)
    • if so, do we try to build it with <code>make dev-ui</code>?
  • common security practice is the private key of a PKI can't leave a CA
    • procedure to create the PKI is fully documented in Agora
    • that would call to recreate the PKI, and redeploy roles/core/certificates everywhere (easy as already automated in Salt)
  • keys shares

(*) The main reason is UI exposes both enterprise and open source features, so it's a mess while OpenBao team is trying to remove the codepath to the enterprise features.

Related Objects

Event Timeline

dereckson triaged this task as Normal priority.Thu, Oct 3, 15:21
dereckson created this task.
dereckson moved this task from Backlog to Analysis / under discussion on the Servers board.
DorianWinty added a subscriber: DorianWinty.EditedThu, Oct 3, 17:23
  • about the UI it could be usefull managing secrets more easyly
  • certificate gen seem good for me
  • key share => is it possible to generate a token like with salt now ?
dereckson added a comment.Thu, Oct 3, 17:26

Yes, it's a fork from Vault 1.14 so we've all the features of token generation. back to the shorter s. tokens).

When starting Vault, we need to unseal it or setup auto-unseal. For the manual unseal, Vault uses Shamir algorithm to divide a secret into N keys parts, where M are needed to unseal the vault.

dereckson mentioned this in T2044: Upgrade FreeBSD servers still on 14.0 to 14.1.Thu, Oct 3, 21:17
dereckson mentioned this in T2046: Deploy Medusa on devserver role.Sat, Oct 5, 12:21
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator