the-distro/infra
9
0
Fork 5
Code Issues 39 Pull requests 8 Packages Projects 1 Releases Wiki Activity

WIP: secret management at scale #150

Draft
raito wants to merge 2 commits from vault into main
pull from: vault
merge into: the-distro:main
Conversation 0 Commits 2 Files changed 8 +400 -2
raito commented 2024-10-27 20:48:10 +00:00
Owner
Copy link

This PR aims to address various shortcomings of our secret management style.

Notably:

  • the OIDC linkage
  • the AWS access keys problem for the Terraform state
  • mTLS certificates for our needs
  • automatic rotation

This PR depends on missing components:

  • a TPM2 on the node that will perform unsealing of the Vault.
  • a PR to use PKCS#11 for auto unsealing in OpenBao
  • another node for enabling HA
  • monitoring for our Vault
  • wiring up Vault in our Terranix deployment

Once it is landed, we can slowly revamp our Terraform story to use it.

This PR aims to address various shortcomings of our secret management style. Notably: - the OIDC linkage - the AWS access keys problem for the Terraform state - mTLS certificates for our needs - automatic rotation This PR depends on missing components: - a TPM2 on the node that will perform unsealing of the Vault. - a PR to use PKCS#11 for auto unsealing in OpenBao - another node for enabling HA - monitoring for our Vault - wiring up Vault _in_ our Terranix deployment Once it is landed, we can slowly revamp our Terraform story to use it.
raito added 2 commits 2024-10-27 20:48:14 +00:00 
Introduce a data-only module to perform abstraction on the deployment,
we use it for WAN for now.

The usecase is service discovery for simple cases.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
Via a fork of the Linux Foundation, called OpenBao.

The module supports high availability but we only have one node for now.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
emilylange requested changes 2024-10-27 23:24:58 +00:00
Dismissed
services/vault/module.nix
@ -0,0 +6,4 @@
cfg = config.services.openbao;
opt = options.services.openbao;
configFile = pkgs.writeText "openbao.hcl" ''
emilylange commented 2024-10-27 23:24:52 +00:00
Member
Copy link

Every .hcl can be represented as json.
Given this is a new module and not constrained by what the current NixOS services.vault module does, please convert this to be a freeform json attribute.

If you need help with the specific details or simply want me to do it, let me know.
But I am convinced we should do multiline hcl templating here.

Every `.hcl` can be represented as json. Given this is a new module and not constrained by what the current NixOS `services.vault` module does, please convert this to be a freeform json attribute. If you need help with the specific details or simply want me to do it, let me know. But I am convinced we should do multiline hcl templating here.
raito commented 2024-10-28 11:41:04 +00:00
Author
Owner
Copy link

@emilylange I would love if you could just do it for me :<, that'd be awesome! Feel free to propose a new version of the module BTW :)

@emilylange I would love if you could just do it for me :<, that'd be awesome! Feel free to propose a new version of the module BTW :)
raito marked this conversation as resolved
emilylange approved these changes 2024-10-29 23:54:25 +00:00
emilylange left a comment
Member
Copy link

Came to the conclusion that making this RFC42 compliant will likely take a bit longer than I anticipated.

Not sure how to dismiss my review, so guess I'll approve without looking at everything.

I am shorter on time than I would like. Sorry.

Came to the conclusion that making this RFC42 compliant will likely take a bit longer than I anticipated. Not sure how to dismiss my review, so guess I'll approve without looking at everything. I am shorter on time than I would like. Sorry.
This pull request is marked as a work in progress.
This branch is out-of-date with the base branch
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin vault:vault
git checkout vault

Merge

Merge the changes and update on Forgejo.
git checkout main
git merge --no-ff vault
git checkout main
git merge --ff-only vault
git checkout vault
git rebase main
git checkout main
git merge --no-ff vault
git checkout main
git merge --squash vault
git checkout main
git merge --ff-only vault
git checkout main
git merge vault
git push origin main
Sign in to join this conversation.
Reviewers
No reviewers
emilylange
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: the-distro/infra#150
No description provided.
Delete branch "vault"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?