Page MenuHomeDevCentral
Create Task
Maniphest T928

Deploy Vault to store credentials
Closed, ResolvedPublic
Actions

Description

We currently use several strategies to store credentials, the reference one being to use the passphrase application on DevCentral.

@Sandlayth is responsible for the deployment, @dereckson will handle the migration of current secrets to Vault.

Vault will contain:

  • passwords for Docker containers
  • credentials to log in to external services (e.g. API keys for a mail service)

Some credentials will still be stored on DevCentral:

  • SSH keys used for Harbourmaster
  • SSH keys as deploy keys for GitHub repositories

Some credentials needed to install Vault will also be stored on file:

  • Credentials to access Vault backend storage

Then, to configure Salt to use Vault, https://medium.com/@aratik711/saltstack-and-vault-integration-20eeb2e7ec9c provides a checklist-like howto.

Revisions and Commits

rOPS Nasqueron Operations
D2638rOPSaf9db00760be Deploy policies for Vault
D2646rOPSff57b9fe80ea Deploy public and Nasqueron certificates
D2624rOPS7700b5298669 Deploy Vault

Related Objects
Search...

Event Timeline

dereckson created this task.Jul 21 2016, 14:54
dereckson added subtasks: T875: Install Vault server on Dwellers, T927: Install Vault client on Ysul, T923: Switch Vault to restricted network.
dereckson added a comment.Jul 21 2016, 15:03

Current status: a development Vault works, we're going to play with it for a few days, then switch to production one.

dereckson closed subtask T927: Install Vault client on Ysul as Resolved.Jul 21 2016, 15:03
dereckson created subtask T929: Determine a policy for vault master key.Jul 21 2016, 15:08
dereckson added a subtask: T930: Secrets to migrate from DevCentral to Vault.Jul 22 2016, 03:02
dereckson moved this task from Backlog to Vault on the Continous integration and delivery board.Jul 28 2016, 20:11
dereckson edited projects, added Vault; removed Continous integration and delivery.Jul 28 2016, 20:12
dereckson added a project: User-Sandlayth.Aug 20 2016, 16:45
Sandlayth closed subtask T875: Install Vault server on Dwellers as Resolved.Aug 31 2016, 14:06
Sandlayth moved this task from Backlog to Next on the User-Sandlayth board.Aug 31 2016, 14:39
dereckson added a parent task: T1129: Deploy Odderon on Eglide.Jan 24 2017, 23:53
Sandlayth moved this task from Next to Backlog on the User-Sandlayth board.Mar 4 2017, 08:00
dereckson removed Sandlayth as the assignee of this task.Mar 8 2018, 21:11

[ Mass switching long-time assigned tasks to user projects dashboards instead. ]

dereckson mentioned this in T1425: Provision secrets through Salt.Sep 12 2018, 10:26
dereckson updated the task description. (Show Details)Oct 5 2018, 19:48
dereckson mentioned this in T1702: Deploy Complector aka la source.Mar 15 2022, 00:42
dereckson removed a parent task: T1129: Deploy Odderon on Eglide.Mar 15 2022, 00:45
dereckson added a revision: D2638: Deploy policies for Vault.Mar 26 2022, 15:09
dereckson added a revision: D2646: Deploy public and Nasqueron certificates.Mar 29 2022, 22:50
dereckson added a commit: rOPS7700b5298669: Deploy Vault.Mar 29 2022, 22:54
dereckson added a revision: D2624: Deploy Vault.
dereckson added a commit: rOPSff57b9fe80ea: Deploy public and Nasqueron certificates.Apr 3 2022, 09:41
dereckson added a commit: rOPSaf9db00760be: Deploy policies for Vault.Apr 3 2022, 10:33
dereckson closed subtask T923: Switch Vault to restricted network as Resolved.May 30 2022, 21:49
dereckson closed subtask T930: Secrets to migrate from DevCentral to Vault as Resolved.Mar 7 2023, 20:19
dereckson lowered the priority of this task from High to Normal.Mar 7 2023, 20:23

Current status: ZR has been decom, we now deploy credentials through from Vault.

There are some remaining subtasks and code to improve/review like the Vault DRP,
so this can stay open for now, but the priority can be decreased a little bit.

dereckson closed subtask T929: Determine a policy for vault master key as Wontfix.Mar 7 2023, 20:24
dereckson closed this task as Resolved.May 18 2023, 11:45
dereckson claimed this task.

DRP merged, so we're good :)

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator