More Secrets Options Now Available with Validated Patterns
More Secrets Options Now Available with Validated Patterns
Overview
One of the things about the kubernetes application management experience that we wanted to explore and improve as part of the Validated Patterns initiative was the secrets handling in GitOps. So we worked out a scheme that stored secret material in a dedicated secrets store, using the External Secrets Operator to project that secret material into the applications using ESO’s powerful and convenient abstraction and templating features. At that time, HashiCorp Vault was well supported and popular in the community, as was using ESO to retrieve secrets from it. All of the major hyperscaler keystores are supported (AWS, Azure, GCP), but multi- or hybrid- cloud solutions that can be “self-contained” are either less well supported or the solutions themselves lean towards SaaS offerings.
Almost two years later, the secrets landscape has shifted somewhat. As a Red Hat project, Validated Patterns initiative gravitates towards Red Hat-supported solutions, and neither HashiCorp Vault nor ESO are currently Red Hat supported. Meanwhile, the only backend we provided a code path to drive with ESO was Vault.
This nullifies one of the major reasons we wanted to use ESO in the first place - namely, the ability to easily swap out secrets backends in case Vault was not usable for some reason. Earlier in 2023, one of our engineers did a proof of concept of ESO support using the AWS Secrets Manager backend - demonstrating that ESO delivered on its promise of multiple secret store support. Adapting ESO was the easy part - the hard part is building more abstraction into the VP secrets handling code that runs on pattern install.
To this end, we decided we would expand secrets support by introducing at least one new backend - and we chose the kubernetes backend, because it is self-contained (that is, it can be run on-prem and requires no new products or projects to be installed), and is a useful vehicle for introducing an abstraction layer for validated patterns secret parsing. In addition, dealing with kubernetes secrets objects directly has the side effect of enabling us to provide a mechanism for users to inject their secrets directly into their patterns, bypassing the need to use any secrets manager or ESO at all. This also provides benefits to installations where only commercially supported solutions can be installed, since ESO is currently not commercially supported by any entity.
In a nutshell, the new features depend on an abstraction of secret file parsing, so that the secrets are held in memory in a datastructure that is then processed and loaded by the appropriate backend code.
Users of the pattern framework will be able to change secrets backends as straightforwardly
as we can make possible. The only other change the user will need to make (to use another
ESO backend) is to use the backend’s mechanism to refer to keys. (For example: in Vault,
keys have have names like secret/data/global/config-demo; in the Kubernetes backend
it would just be the secret object name that’s being used to store the secret material,
such as config-demo).
Chart changes
The clusterSecretStore related chart elements have moved to
values-global.yaml, specifically global.secretStore.backend. For example, from
multicloud-gitops:
global:
pattern: multicloud-gitops
options:
useCSV: false
syncPolicy: Automatic
installPlanApproval: Automatic
secretStore:
backend: kubernetes
Previously, the secretStore setting was done per-chart; but ordinarily this
setting will hold for the entire cluster, which may include many charts. Because
of this, we will move these settings in our charts. (Older configs will not
break if they still use vault; and it is still an option to override each
chart if you want to do that.)
Individual secret keys used for ESO lookups will need to be overridden or changed to use the kubernetes backend.
This values-global setting is also used by the Ansible workflow to decide which backend to inject secrets into.
The “vault” Backend - Unchanged Interface, New plumbing
The vault support now has a new code path to follow, but supports exactly the same features in the same ways it always has. Vault is still the default backend for patterns, and all existing patterns should be able to adopt the new code path without making any changes. Any other experience is a bug we will fix.
All of the defaults for the new code path are designed to work with existing vault-based configurations; the new features are entirely optional and we do not expect breakage or regressions to existing vault-based configurations.
The “kubernetes” Backend new
New features have been introduced to the secrets structure to support the use of the
Kubernetes ESO backend. See the below details for the new options and how they are processed
by the kubernetes parsing strategy.
The “none” Backend new
New features have been introduced to the secrets structure to support not using an ESO
ESO backend, but rather injecting secrets objects directly into the pattern. This violates
the spirit of GitOps by not recording the details of the deployment in a versioned way.
However users might want or need to make this tradeoff for different reasons. See the below
details for the new options and how they are processed by the none parsing strategy.
At present, any external secret objects will need to be deleted from the repository to use
the none backend - since the ArgoCD application will not sync when a non-existing CRD is
referenced.
How to Use a non-default Backend
We have provided Makefile targets to switch between backends. These targets edit the pattern configuration files in-place; in keeping with the GitOps philosophy they change the files in git that control how the application is deployed.
These Makefile targets are:
secrets-backend-vault Edits values files to use default Vault+ESO secrets config
secrets-backend-kubernetes Edits values file to use Kubernetes+ESO secrets config
secrets-backend-none Edits values files to remove secrets manager + ESO
Run the makefile target in your repo to effect the necessary changes. If the command makes changes,
it will display them in git diff format, and it will be up to you to commit and push the result
to effect the change. Nothing will change on your cluster until you commit and push.
Using the old system - The legacy-load-secrets Makefile target
The existing vault-utils codepath is available via the legacy-load-secrets
Makefile target. If secrets loading fails, or you just want to use the other
system, you can run make legacy-load-secrets after make install and it will
run those scripts and the Ansible playbooks and roles associated with them.
Deprecation of v1.0 Secrets
The v1.0 secrets format has not been used in the Validated Patterns framework
for over a year now. The v2.0 framework is a strict superset of the v1.0
framework. Support for the v1.0 framework is still available via the
legacy-load-secrets code path, but this may be removed in the future.
Updates to the Secrets v2.0 Schema
New features have been added at both the file level and the per-secret level to support the new backends:
Top-level Additions
secretStoreNamespace
example:
---
version: "2.0"
secretStoreNamespace: 'validated-patterns-secrets'
secrets:
A new top-level key has been introduced in the secrets file:
secretStoreNamespace. This defaults to validated-patterns-secrets. This is
the namespace that ESO uses as its special secret store, which serves the same
architectural purpose as vault does in the default installation. (Secrets are
installed into this namespace as Kubernetes secrets objects, and ESO allows for
them to be copied or templated out using ESO mechanisms).
defaultAnnotations
example:
defaultAnnotations:
validatedpatterns.io/pattern: 'myPattern'
This data structure is a hash, or dictionary. These labels will be applied to all
secrets objects unless they have per-secret annotations set. Labels are only added to
kubernetes based secrets objects (using the kubernetes or none) backends. The
vault loader ignores these settings.
defaultLabels
example:
defaultLabels:
patternType: 'edge'
patternEnvironment: 'production'
This data structure is a hash, or dictionary. These labels will be applied to all
secrets objects unless they have per-secret labels set. Labels are only added to
kubernetes based secrets objects (using the kubernetes or none) backends. The
vault loader ignores these settings.
Per-secret Additions
targetNamespaces
example:
secrets:
- name: config-demo
targetNamespaces:
- config-demo
fields:
This option is ignored by vault and kubernetes backends, and only used by the none backend.
Normally, you will only need to add your secret to one namespace at a time. However, if you do need
to copy a secret that is identical except for the namespace it goes into, you can add multiple
targetNamespaces each namespace specified will get a copy of the secret.
There is not a default target namespace for the none backend, so omitting this field from a config
parsed for the none backend is an error.
labels
example:
secrets:
- name: config-demo
labels:
patternType: 'edge'
patternEnvironment: 'production'
fields:
In this case, these labels will only be applied to any config-demo secret objects created
by the framework. This option is only used by the none and kubernetes backends and
ignored by the vault backend. If defaultLabels are specified at the top level of the
file, per-secrets labels will override them.
annotations
example:
secrets:
- name: config-demo
annotations:
validatedpatterns.io/pattern: 'myPattern'
fields:
In this case, this annotation will only be applied to any config-demo secret objects created
by the framework. This option is only used by the none and kubernetes backends and
ignored by the vault backend. If defaultAnnotations are specified at the top level of the
file, per-secrets annotations will override them.
Under the Hood - Python and Ansible Code
The main changes here were to factor out the code that did the file parsing and actual secret
loading into different modules. The parse_secrets_info module now reads all of the file contents
and renders all of the secrets it can before turning the process over to an appropriate secrets
loader.
The process_secrets playbook
The process_secrets understands the backend configured for the different backends from values-global,
and follows the appropriate strategy.
parse_secrets_info Ansible Module
parse_secrets_info understands the different backends, and parses the secrets file into an in-memory
structure that can then be handed over to a loader specific to the backend. There is an additional
script, common/scripts/process_secrets/display-secrets-info.sh <secrets_file> <backend_type> that
can be used to view how the secrets are parsed. This will display secrets on the terminal, so use
with caution. It creates a parsed_secrets structure that should be generally useful, as well as
vault_policies (Specifically for Vault support). Additionally, it creates a kubernetes_secret_objects
structure suitable to hand over to the Ansible k8s.core collection directly.
vault_load_parsed_secrets Ansible Module
vault_load_parsed_secrets is responsible for setting up the commands to load the secrets into vault,
and running them.
The k8s_secret_utils Ansible Role
k8s_secret_utils is used for loading both the kubernetes and none backends. It
Changes to to vault_utils Ansible Role
Some code has been factored out of vault_utils and now lives in roles called cluster_pre_check and
find_vp_secrets roles. A new task file has been added, push_parsed_secrets.yaml that knows how to use
the parsed_secrets structure generated by parse_secrets_info. The existing code in the other task files
remains.
Developing a new backend
To provide support for an additional backend, the framework will need changes to:
- The
golang-external-secretschart (to support the new provider) - The shell and ansible framework for loading (understanding the new backend name and developing behaviors for it).
Conclusion
The Validated Patterns framework strives to offer solutions to real-world problems, and we hope you will find these new features useful. If you run into problems, we will do our best to help!
