Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable Vault PKI secrets engine #1925

Closed
bnevis-i opened this issue Oct 15, 2019 · 0 comments · Fixed by edgexfoundry/edgex-docs#287
Closed

Enable Vault PKI secrets engine #1925

bnevis-i opened this issue Oct 15, 2019 · 0 comments · Fixed by edgexfoundry/edgex-docs#287
Labels
enhancement New feature or request security-services wontfix This will not be worked on

Comments

@bnevis-i
Copy link
Collaborator

bnevis-i commented Oct 15, 2019
edited
Loading

🚀 Feature Request

Relevant Package

Affects security-secrets-setup (#1924) and secret store configuration
This is a sub-story of https://github.com/edgexfoundry/edgex-go/issues/1950.

Description (original)

There are multiple reasons why one would want to enable the PKI secrets engine in Vault:

  • Enable TLS-encrypted communications between micro-services. (Note: Consul Connect has built-in Vault integration for just this purpose)
  • Simplify the installation of the Kong proxy certificate (Streamline proxy certificate upload flow #1922)
  • Enable service-to-service authentication via mutual-auth TLS or JWT signatures
  • Unforseen end-user use-cases for a local PKI

For these reasons it would be useful to import an intermediate CA (#1924) into Vault, enable the PKI secrets engine, and issue additional certificates at runtime as-needed to build additional TLS-dependent services. This will help minimize security-secrets-setup usage to just security services bootstrapping and nothing more.

Description (from merged ticket #2455)

In order to enable microservices to authenticate the server side of a connection and provide confidentiality and integrity protection of microservice communications, we should enable the Vault PKI secrets engine for issuing of leaf TLS certificates and add hooks to go-mod-secrets to request the private key at runtime in order to secure the services' REST API server.
@bnevis-i bnevis-i added enhancement New feature or request security-services labels Oct 15, 2019
@bnevis-i bnevis-i assigned bnevis-i and unassigned bnevis-i Oct 15, 2019
@tingyuz tingyuz added the geneva label Oct 18, 2019
@brandonforster brandonforster added this to the EdgeX Geneva milestone Oct 25, 2019
@bnevis-i bnevis-i mentioned this issue Oct 29, 2019
Closed
@bnevis-i bnevis-i added unscoped Issues that are currently out of scope for all releases. and removed geneva labels Nov 20, 2019
@bnevis-i bnevis-i removed this from the EdgeX Geneva milestone Nov 20, 2019
@bnevis-i bnevis-i mentioned this issue Mar 30, 2020
Closed
@jpwhitemn jpwhitemn reopened this Nov 2, 2020
@bnevis-i bnevis-i mentioned this issue Nov 4, 2020
Closed
@bnevis-i bnevis-i mentioned this issue Nov 18, 2020
Merged
4 tasks
@bnevis-i bnevis-i added wontfix This will not be worked on and removed unscoped Issues that are currently out of scope for all releases. labels Nov 30, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request security-services wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(adr): ADR for detailing when TLS is or is not used
4 participants
@brandonforster @jpwhitemn @bnevis-i @tingyuz