Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Assess secret storage systems for Lagoon

See original GitHub issue

Currently it’s not possible to store secret environment variables across an entire OpenShift project. Each new environment that is created for a new PR or branch needs to have ENV vars set manually in the deployment. Could we move to Vault to manage this instead of env?

Based on some investigations in our project, the following steps outline what may be needed to achieve a production level integration of Vault.

Install Consul.

** https://github.com/kubernetes/charts/tree/master/stable/consul

Install Vault.

** https://github.com/kubernetes/charts/tree/master/incubator/vault

Install the Goldfish Vault Web UI.

** https://github.com/kubernetes/charts/tree/master/incubator/goldfish
** https://github.com/Caiyeon/goldfish

Configure the Vault Kubernetes Auth Backend.

** https://www.vaultproject.io/docs/auth/kubernetes.html
** This will allow Kubernetes service accounts to authenticate to Vault.

For each application that is to use Vault stored secrets.

** Create a `ConfigMap` with a file defining the secrets to be consumed.
** Change the Dockerfile ENTRYPOINT for the workload so that `vaultenv` is used to fetch the secrets from Vault and store them in environment variables.
** https://github.com/channable/vaultenv
** The section “Exposing Secrets to Applications” from this article goes into more detail about using `vaultenv` - https://www.elastic.co/blog/kubernetes-vault-integration-devops-team

Issue Analytics

State:
Created 5 years ago
Reactions:1
Comments:10 (8 by maintainers)

Top GitHub Comments

1reaction

Schnitzelcommented, Jun 19, 2018

Thanks for this @kurtfoster There is also #65 which covers another idea of this.

Will definitely look into Vault and check how we can use that in a PaaS enviornment where multiple clients need access to the Vault but should not have access to each others Secrets

0reactions

Schnitzelcommented, Oct 18, 2021

we talked about this again during lagoon tech sync:

the easiest and highest adding of security would be to encrypt the env variables in the lagoon api db and decrypt them when they are loaded.

Top Results From Across the Web

Lagoon Roadmap (Indicative) - GitHub

Lagoon, the developer-focused application delivery platform - Lagoon Roadmap ... Assess secret storage systems for Lagoon #469 opened by kurtfoster

Tank Systems, Storage Lagoon Covers and Liners

Tank Systems, Storage Lagoon Covers and Liners ... which come in a variety of sizes and construction materials, typically measure 100mm in diameter, ......

Assessing the human footprint on the sea-floor of ... - Nature

Here, we present a quantitative assessment of the effects of human actions on the floor of the tidal channels from the Venice Lagoon...

WRFN New Lagoon and Septic Bed Assessment ...

Home page for the impact assessment of the project - WRFN New Lagoon and Septic Bed Assessment/Replacement Program.

Assessing the human footprint on the sea-floor of coastal ...

PDF | Coastal systems are among the most studied, most vulnerable ... the sea-floor of coastal systems: the case of the Venice Lagoon,...