Move secrets handling to HashiCorp Vault
CKI has access to a HV instance. Use it.
AC:
-
remove hvac python dep: cki-tools!1219 (merged) -
remove vault from cki-tools image: cki-tools!1228 (merged) -
integrity check job to compare yaml and hv in deployment-all pipeline -
all secrets moved from encrypted yamls to HV -
credential-manager update
should not affectlast-used-at
of checked tokens -
credential-manager cleanup
to get rid of leftovers of rotated tokens, inactive/expired tokens -
document token rotation -
all documentation updated: internal deployment repo, public/internal docs -
all secrets moved from credentials repo to HV -
credentials repo archived -
remove yaml backend for secrets
Edited by Michael Hofmann