Page MenuHomeDevCentral

Deploy Vault to store credentials
Closed, ResolvedPublic

Description

We currently use several strategies to store credentials, the reference one being to use the passphrase application on DevCentral.

@Sandlayth is responsible for the deployment, @dereckson will handle the migration of current secrets to Vault.

Vault will contain:

  • passwords for Docker containers
  • credentials to log in to external services (e.g. API keys for a mail service)

Some credentials will still be stored on DevCentral:

  • SSH keys used for Harbourmaster
  • SSH keys as deploy keys for GitHub repositories

Some credentials needed to install Vault will also be stored on file:

  • Credentials to access Vault backend storage

Then, to configure Salt to use Vault, https://medium.com/@aratik711/saltstack-and-vault-integration-20eeb2e7ec9c provides a checklist-like howto.

Event Timeline

Current status: a development Vault works, we're going to play with it for a few days, then switch to production one.

dereckson removed Sandlayth as the assignee of this task.Mar 8 2018, 21:11

[ Mass switching long-time assigned tasks to user projects dashboards instead. ]

dereckson lowered the priority of this task from High to Normal.Mar 7 2023, 20:23

Current status: ZR has been decom, we now deploy credentials through from Vault.

There are some remaining subtasks and code to improve/review like the Vault DRP,
so this can stay open for now, but the priority can be decreased a little bit.

dereckson claimed this task.

DRP merged, so we're good :)