Make Hashicorp Vault available as application to deploy into Kubernetes (#9982) · Issues · GitLab.org / GitLab

Make Hashicorp Vault available as application to deploy into Kubernetes

Problem to solve

We want to make it easy for users to have modern secrets management. Hashicorp Vault has won this market, and users that are not already using it for rotating and managing secrets should be.

Target audience

Delaney, Development Team Lead, https://design.gitlab.com/research/personas#persona-delaney
Devon, DevOps Engineer, https://design.gitlab.com/research/personas#persona-devon
Sidney, Systems Administrator, https://design.gitlab.com/research/personas#persona-sidney

Further details

Proposal

We are going to add Vault to the list of GitLab managed applications (https://docs.gitlab.com/ee/user/clusters/applications.html#gitlab-managed-apps), providing a one-click install for applications on a Kubernetes cluster.

Implementation Notes

Implementation relies on installing/using the helm-git plugin as the official Hashicorp Vault chart is not in a Helm repository
We use the official Vault Helm chart from Hashicorp
After installation, you will still need to go into a pod and run vault operator init and vault operator unseal <unseal key> As per the standard Vault installation process. We can't easily automate this as there is a lot of specific information and configuration related to how to setup Vault specifically for your environment. E.g. Personally storing and distributing your unseal keys
For production usage a user will need to configure the Vault chart with some specifics, e.g. setting the backing store to a cloud storage bucket, encryption, auto-unseal on startup

Additional Details

The goal is to enable easy set up for users that currently do not have a Vault instance with GitLab using K8.
How will GitLab deployed applications find Vault (is there a URL to pass into CI perhaps or do we need to expose it in the UI?)
- We should support a URL to pass into the CI as first iteration. It's worth knowing that all user deployed applications from GitLab are deployed to isolated namespaces.
Is there a security model for Vault that aligns with our namespace separation for Group clusters?
- Security Model for Vault does support name space separation. We could also leverage an Agent Sidecar Injector.
Does it make sense for all applications deployed to all environments to share a Vault. Is this recommended usage?
- In this case, we would be supporting an already present Vault Instance and connecting it into a K8 Cluster. HashiCorp mentioned this is supported functionality.
What will be supported in Vault?
- CI Variables, tokens, and keys

Documentation

See !24546 (merged) for documentation

What does success look like, and how can we measure that?

On-premise and gitlab.com customers will install Vault as another Gitlab Managed App alongside the others we already have documented at https://docs.gitlab.com/ee/user/clusters/applications.html

What is the type of buyer?

Community Edition

Links / references

### Problem to solve
We want to make it easy for users to have modern secrets management.  Hashicorp Vault has won this market, and users that are not already using it for rotating and managing secrets should be.

### Target audience
- Delaney, Development Team Lead, https://design.gitlab.com/research/personas#persona-delaney
- Devon, DevOps Engineer, https://design.gitlab.com/research/personas#persona-devon
- Sidney, Systems Administrator, https://design.gitlab.com/research/personas#persona-sidney

### Further details

### Proposal

### Implementation Notes

* Implementation relies on installing/using the helm-git plugin as the official Hashicorp Vault chart is not in a Helm repository
* We use the official Vault Helm chart from Hashicorp
* After installation, you will still need to go into a pod and run `vault operator init` and `vault operator unseal <unseal key>` As per the standard Vault installation process. We can't easily automate this as there is a lot of specific information and configuration related to how to setup Vault specifically for your environment. E.g. Personally storing and distributing your unseal keys
* For production usage a user will need to configure the Vault chart with some specifics, e.g. setting the backing store to a cloud storage bucket, encryption, auto-unseal on startup

#### Additional Details

* The goal is to enable easy set up for users that currently do not have a Vault instance with GitLab using K8. 
* How will GitLab deployed applications find Vault (is there a URL to pass into CI perhaps or do we need to expose it in the UI?) 
  * We should support a URL to pass into the CI as first iteration. It's worth knowing that all user deployed applications from GitLab are deployed to isolated namespaces. 
* Is there a security model for Vault that aligns with our namespace separation for Group clusters? 
  * [Security Model for Vault](https://www.vaultproject.io/docs/internals/security/) does support name space separation. We could also leverage an [Agent Sidecar Injector](https://www.vaultproject.io/docs/platform/k8s/injector/). 
* Does it make sense for all applications deployed to all environments to share a Vault. Is this recommended usage?
  * In this case, we would be supporting an already present Vault Instance and connecting it into a K8 Cluster. HashiCorp mentioned this is supported functionality. 
* What will be supported in Vault?
  * CI Variables, tokens, and keys

### Documentation
* See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/24546 for documentation

### What does success look like, and how can we measure that?

* On-premise and gitlab.com customers will install Vault as another Gitlab Managed App alongside the others we already have documented at https://docs.gitlab.com/ee/user/clusters/applications.html

### What is the type of buyer? 
* Community Edition

### Links / references

Edited Feb 19, 2020 by Jackie Meshell

Discussion
Designs