Skip to content

Eliminate dependency on Vault #195

Description

@ajf

Vault is a pretty complex dependency that we use for:

  • Storing Secrets for BMC passwords & UEFI passwords
  • Storing operator supplied credentials for external systems (e.g. UFM & NMX)
  • PKI for issuing Certificate to booting Scout images and DPUs (that are used for mTLS and RBAC purposes) and to

The setup of PKI policies, running vault in a HA replica with automatic unsealing, and backups are far more complex because of it. Several people have had trouble setting it up

We would like to remove the direct dependency on Vault.

  • We believe that we'll need to internalize "managed" passwords like BMCs and UEFI internally into Carbide's PostgreSQL database; while keeping a high level of security and ability to rotate passwords.
  • Move the operator-supplied credentials to be read from config files so they could be provided some other way (like a k8s secret, or some file on disk)
  • Switch scout and DPU-agent (and anything else that talks to the API) to JWT or some other Token-based authentication and update RBAC rules

Additionally, we'll need to update admin-cli to use some token auth instead of mTLS certs, but we may be able to keep this since the mTLS for admin-cli doesn't actually use Vault.

Need product input if we should have pluggable secret backends (if someone wanted to use Vault), or just do this stuff internally for simplicity.

Metadata

Metadata

Assignees

Labels

apiaffects API surface areafeatureFeature (deprecated - use issue type, but it's needed for reporting now)host ingestionIssue relating to ingestion or lifecycle of a host.lifecycle/frozenroadmapRoadmap item with program-level trackingsecurityThings affecting host security (attestation, santization, etc)

Type

Fields

No fields configured for Epic.

Projects

Status
In Progress

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions