Secret Management

The secrets are held in: GitHub Secrets and Vault?

The secrets are managed by:

The secrets are accessed from Iac …?

The management of secrets is complicated.  Below are some requirements for the solution.  If we can tick off all these, we’ll have a winner.

Must be able to manage:

-       carrier secrets

-       api keys

-       aais secrets

-       common secrets

-       cloud provider secrets

-       database secrets

-       hlf network secrets like certs

-       application secrets

-       distributed secrets

Must:

-       rotate passwords

-       be encrypted

-       permissioned so only visible to specific individuals or ci/cd

-       manageable - update / delete / create / view

-       auditable - know what changed and that no breaches have occurred

-       be accessible from IaC - terraform

-       be accessible from IaC - helm

-       be accessible during CI/CD

-       be cloud agnostic for use

-       be multi-cloud

-       have a health check of the system - at startup and intervals

-       provide logging and notifications of updates

-       exhibit CIA - confidentiality, integrity, access

-       have a user interface for managing the secrets

Options:

-       tools

o   vault

o   aws secrets manager

-        

Mongo DB is a cloud managed servicedeployed inside Kubernetes

The default implementation for MongoDB is a cloud managed service. 

In AWS this will be DocumentDB, as long as, it implements the API we need.

In other cloud providers it will be specific to that cloud.

For local deployments it will be inside the kubernetes cluster.

The Terraform to setup the mongo db will be pluggable so it can be replaced with the appropriate platform specific configuration.

Options discussed were:

-       self-managed cloud implementation

-       cloud-managed Infrastructure as a Service

-       mongo db atlas - a mongo provided infrastructure as a service (requires separate account, so it was dismissed)

DocumentDB does NOT support mapreduce which is how we run the extraction patterns.

So we have two options:

• we use true mongodb compatible db that supports mapreduce
• we refactor the extraction pattern functionality to not use mapreduce

So, for the migration project we switch to a mongodb self managed db

For the longer term we'll reimagine the extraction pattern processing.

Use Kind or Minikube for Local Kubernetes Runtime

We will use MinikubeThere are multiple options for local kubernetes deployment.  We chose Minikube over Kind because of it's simplicity.

Use GitOps  a combination of solutions depending on application.

• Cloud
  • Terraform for Infrastructure Provisioning in the Cloud
  • GitHub actions for CI/CD and execution of Terraform
  • Ansible for Deploying ??
  • Helm for managing Kubernetes
  • Flux for provisioning and managing distributed nodes
• Local Reference
  • Bash scripts for provisioning local

Provide options for selection upon setup.

• Terraform Cloud
• Terraform Enterprise
• GitHub Actions
• Manual

All provisioning artifacts are managed in git

The customer will have a github / gitlab account that is private to them.

We may or may not have access to that repository.

To accept updates, the customer will accept a merge/pull request into their repository with our changes.

That update in git will automatically trigger the workflow.

The workflow may allow automatic provisioning or require an acceptance from the customer.

-       milestones

1. start with github actions, forked repos and manual execution
2. move to terraform cloud for aais node

target will have two options for node owners

• use terraform cloud
• use terraform on-prem (terraform enterprise)