Uploaded image for project: 'Red Hat Advanced Cluster Security'
  1. Red Hat Advanced Cluster Security
  2. ROX-29068

RHACS Integrations using authentication credentials managed by External Secret Stores such as HashiCorp Vault

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Unresolved
    • Icon: Major Major
    • 4.10.0
    • None
    • Authn / authZ
    • Product / Portfolio Work
    • L
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected

      Goal Summary:

      Enable customers of RHACS  to integrate with services using credentials managed by external secret stores such as Hashicorp Vault. Kuberentes and OpenShift both provide ways for customers to manage secrets on the cluster using either External Secrets Operator or Secret Store CSI Driver or Vault Secret Operator. When RHACS Central is deployed on these clusters, Central can be provided with credentials for integration with external services, using secrets managed by these secret Operators.   

      Goals and expected user outcomes:

      1. Enable use of Credential stores to manage credentials used by ACS for integrations.
      2. In first such offering, we will focus on using HashiCorp Vault as the secret store and can expand on this based on customer interests.  
      3. Admins are expected to create secrets in namespace where ACS is installed and configure the secrets to pull in the right integration credentials from the Vault store. 
      4. Admins are also responsible for install and configure of External Secrets Operator or Secret Store CSI Driver with Hashicorp Vault, including authentication of ESO to Vault. 
      5. RHACS Central will have provision to fetch credentials from the secret and use it for authenticating to Registries, Notifiers etc. Initial testing will be with registry integration.  
      6. RHACS should be able to read secret once it is changed/rotated and use that for authentication in subsequent interactions 

      Acceptance Criteria:

      Ability to connect with Registries and Notifiers using External secrets

      Success Criteria or KPIs measured:

      Risk

      Performance issues. 

      Though, SSCSI Driver can mount multiple secrets in a single mount. 

      https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-secret-store-driver 

      Use Cases (Optional):

      Include use case diagrams, main success scenarios, alternative flow scenarios together with user type/persona. Initial completion during Refinement status.

      <your text here>

      Out of Scope (Optional):

      Initial release will focus on HashiCorp Vault, subsequent release will have other secret stores

      Initial release will focus on limited testing with only few Registries and notifiers.       __

      Initial release will have limited UI support to only indicate use of secret managed by Vault. 

      This mode of integration does not replace other integration options, only augments the use of credentials managed by external secret stores. 

       

       

       

              atelang@redhat.com Anjali Telang
              atelang@redhat.com Anjali Telang
              Anjali Telang Anjali Telang
              ACS Sensor & Ecosystem
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: