adding secrets mgmt content

Author: day0hero

documentation/modules/ROOT/nav.adoc

@@ -58,6 +58,18 @@
 //Chapter 6 - Secrets Management
 * xref:secrets.adoc[6. Secrets Management]
 ** xref:secrets.adoc#objectives[Topic Objectives]
+** xref:secrets.adoc#secretsGitops[Secrets Management and GitOps]
+** xref:pattern-secrets-management.adoc#esoVault[ESO and Vault]
+** xref:pattern-secrets-management.adoc#approaches[Approaches]
+*** xref:pattern-secrets-management.adoc#encryptedSecrets[Encrypted Secrets]
+*** xref:pattern-secrets-management.adoc#secretReferences[References to Secrets]
+** xref:pattern-secrets-management.adoc#vault[Vault]
+** xref:pattern-secrets-management.adoc#eso[eso]
+** xref:pattern-secrets-management.adoc#vaultconcepts[Vault Concepts]
+
+
+
+
 * xref:secrets.adoc[Exercises]
 
 //Chapter 7 - SelfContained Pattern Resources

documentation/modules/ROOT/pages/gitopsRoughEdges.adoc

@@ -4,6 +4,6 @@ include::_attributes.adoc[]
 
 include::main@vp-workshop:ROOT:partial$topicHeader.adoc[]
 
+link:https://developers.redhat.com/e-books/path-gitops[GitOps Rough Edges]
 
-
-[#website]
+[#website]

documentation/modules/ROOT/pages/pattern-secrets-management.adoc

@@ -0,0 +1,111 @@
+== Secrets Management in Validated Patterns
+
+[#esoVault]
+== ESO and Vault
+
+IMPORTANT: The Validated Patterns team settled on using **references to secrets** 
+
+We currently implement GitOps + Secrets via link:https://external-secrets.io/v0.7.0/[External Secrets Operator] and link:https://www.vaultproject.io/[HashiCorp Vault]
+The main reasons for this choice at the time were the following:
+* Sealed Secret approach carries additional risks
+* ESO allows us a certain level of independence from the Secrets Management System 
+* HashiCorp Vault is currently the most popular Secret Management Systems
+* Advised by our security team
+* CyberArk leaders (masters) cannot be hosted on OpenShift
+* Secret injection is incompatible with Pods owned by Operators
+
+
+[#approaches]
+== Approaches
+
+* There are two fundamental approaches to manage secret material within a GitOps context
+* **Encrypted Secrets** stored inside Git repositories
+* **References to Secrets** stored inside Git repositories and the actual secret is stored somewhere else
+
+[#encryptedSecrets]
+=== Encrypted Secrets
+
+* Secrets are stored in an encrypted form inside the Git repository
+* Automation and helper tools do the decryption to create Kubernetes secrets from them
+* A number of projects exist that implement this approach:
+** link:https://github.com/bitnami-labs/sealed-secrets[Sealed Secrets]
+** link:https://github.com/mozilla/sops[Mozilla’s Secret OPerationS (SOPS)]
+** Other smaller ones (link:https://github.com/kapicorp/tesoro[Tesoro], link:https://github.com/Soluto/kamus[Kamus])
+
+These projects provide an easy way to encrypt and decrypt the secrets, and make sure that only authorized users can access them.
+The encryption method and key management should be considered carefully as they are important to ensure the security of the secrets.
+
+IMPORTANT: You should evaluate and choose the right project that fits your specific use case and requirements. 
+
+[#secretReferences]
+=== References to Secrets
+
+This approach requires two main parts:
+* A Secret Management System (link:https://www.vaultproject.io/[HashiCorp Vault], link:https://www.conjur.org/[Conjur], link:https://lyft.github.io/confidant/[Confidant])
+* A controller that retrieves the secret from the Secret Management System and translates it to a Kubernetes Secret or injects it into the Pod directly (link:https://external-secrets.io/v0.7.0/[External Secrets Operator], link:https://github.com/kubernetes-sigs/secrets-store-csi-driver[Kubernetes Secrets Store CSI Driver], link:https://developer.hashicorp.com/vault/docs/platform/k8s/injector[Vault Agent Injector]) 
+* Secrets are uploaded/created directly into the Secret Management System
+* References to secrets are stored in Git
+* A controller reads the references to secrets and translates them into Kubernetes secrets
+
+IMPORTANT: HashiCorp Vault runs only on the HUB
+
+[#vault]
+* The Vault has multiple kubernetes backends configured by the unsealVault Cron Job (one for each cluster)
+* There is one ESO instance for each cluster (ESO is currently unsupported)
+* Each ESO instance logs into the HashiCorp Vault using a specific login path that was configured with the credentials of that instance
+* Vault will authenticate the requests by talking to the API endpoints of the clusters where the login request originated from
+
+[#eso]
+
+* At a high-level the External Secrets Operator reads secrets from the Vault and converts them into Kubernetes Secrets
+* To populate the Vault with our secret material we use `make load-secrets`
+* Normally a user would create ~/values-secret-<patternname>.yaml following the contents of values-secret.yaml.template in the pattern’s git repository
+* Running `./pattern.sh make load-secrets` will populate the Vault with our secrets
+
+NOTE: Provisioning the vault can be complex, so it is taken care of by the framework
+
+* Vault unsealing and configuration happens in the **imperative** namespace with a CronJob
+
+NOTE: The Unseal vault cron job is idempotent and runs every five minutes on the hub only
+
+image::unseal-vault-cronjob.png[]
+
+* The **vaultkeys** secret containing the keys to unseal the vault and the vault root token that can be used to login to the vault’s UI is created 
+
+IMPORTANT: It is **strongly** recommended that the **vaultkeys** secret in the **imperative** namespace is exported to a safe space and removed. It contains the keys needed to unseal the vault whenever it gets restarted
+
+[#vaultconcepts]
+=== Vault Concepts
+
+* Secrets are stored in **Vault** in specific **paths**
+* **secret/global/config-demo** is the **path**
+* Each **path** can have multiple attributes
+* **secret** is one attribute at this path
+* In this case secret is autogenerated by default inside the vault directly
+
+[.INFORMATION]
+====
+By default there are three paths that can be used
+
+* **secret/global/*** accessible by the hub and all managed clusters
+* **secret/hub/*** accessible only by the hub cluster
+* **secret/<fqdn of managed cluster>/*** accessible only by the fqdn-defined cluster
+====
+
+TIP: You can think of a path as being a single dictionary with multiple keys. An external secret looks for a path and then has a templating system to extract keys and put them in kubernetes secrets.
+
+[source,yaml]
+----
+secrets:
+  - name: config-demo
+	vaultPrefixes:
+	- global
+	fields:
+	- name: secret
+  	onMissingValue: generate
+  	vaultPolicy: validatedPatternDefaultPolicy
+----
+
+From the vault interface perspective:
+
+image::global-configdemo-vault.png[]

documentation/modules/ROOT/pages/secrets.adoc

@@ -12,4 +12,43 @@ include::main@vp-workshop:ROOT:partial$topicHeader.adoc[]
 * Secrets Loading
 ** How secrets are loaded out of band into the Vault
 
-[#]
+[#secretsGitops]
+== Secrets Management vs. GitOps
+
+* GitOps’ entire premise is to use Git as the source of truth for infrastructure and application configuration
+* Automation is in place (ArgoCD) to translate Git’s source of truth into infrastructure applications inside OpenShift
+* Storing confidential data (passwords, private keys, secrets, authentication tokens, …) in Git is fundamentally a security vulnerability and should be avoided (even if the Git repository is private and access control is in place)
+* Once confidential data is out in clear-text (or in some reversible form), it has to be considered as compromised
+
+[#approaches]
+== Approaches
+
+* There are two fundamental approaches to manage secret material within a GitOps context
+* **Encrypted Secrets** stored inside Git repositories
+* **References to Secrets** stored inside Git repositories and the actual secret is stored somewhere else
+
+[#encryptedSecrets]
+=== Encrypted Secrets
+
+* Secrets are stored in an encrypted form inside the Git repository
+* Automation and helper tools do the decryption to create Kubernetes secrets from them
+* A number of projects exist that implement this approach:
+** link:https://github.com/bitnami-labs/sealed-secrets[Sealed Secrets]
+** link:https://github.com/mozilla/sops[Mozilla’s Secret OPerationS (SOPS)]
+** Other smaller ones (link:https://github.com/kapicorp/tesoro[Tesoro], link:https://github.com/Soluto/kamus[Kamus])
+
+These projects provide an easy way to encrypt and decrypt the secrets, and make sure that only authorized users can access them.
+The encryption method and key management should be considered carefully as they are important to ensure the security of the secrets.
+
+IMPORTANT: You should evaluate and choose the right project that fits your specific use case and requirements. 
+
+[#secretReferences]
+=== References to Secrets
+
+This approach requires two main parts:
+
+* A Secret Management System (link:https://www.vaultproject.io/[HashiCorp Vault], link:https://www.conjur.org/[Conjur], link:https://lyft.github.io/confidant/[Confidant])
+* A controller that retrieves the secret from the Secret Management System and translates it to a Kubernetes Secret or injects it into the Pod directly (link:https://external-secrets.io/v0.7.0/[External Secrets Operators], link:https://github.com/kubernetes-sigs/secrets-store-csi-driver[Kubernetes Secrets Store CSI Driver], link:https://developer.hashicorp.com/vault/docs/platform/k8s/injector[Vault Agent Injector]) 
+* Secrets are uploaded/created directly into the Secret Management System
+* References to secrets are stored in Git
+* A controller reads the references to secrets and translates them into Kubernetes secrets