Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hh: per-team credential management #40

Open
3 tasks
cirocosta opened this issue Apr 26, 2019 · 2 comments
Open
3 tasks

hh: per-team credential management #40

cirocosta opened this issue Apr 26, 2019 · 2 comments
Labels
size/medium

Comments

@cirocosta
Copy link
Member

cirocosta commented Apr 26, 2019
edited
Loading

Hey,

With the intent of letting teams manage their credentials, whenever a new team is on board, we could create a namespace for that team, which ATC could then use for credential retrieval.

This would make hush-house more compelling than Wings as this would allow teams to not have their credentials in plain-text in their pipelines.

As I see, the whole flow would look like:

  1. team signs up for participating in hush-house
  2. a new team configuration is created under hush-house/teams
  3. a namespace is created for that team to add secrets to
  4. a service account that has permissions just to create/read/update/delete secrets in that namespace is created
  5. access to that service account is granted somehow

Internally, this would have the following effect:


                  person from team_a
                        |
                        |
 k8s cluster -----------+----------------------------------
 |                      |
 |                      | (auth w/ serviceaccount that has access
 |                      |  to `team_a namespace`)
 |                      |
 |    team_a namespace -+----------------------------------
 |    |                 |
 |    |                 |
 |    |                 *------CREATE_SECRET (mysecret)
 |    |                              |
 |    |                              |
 |    |                            mysecret
 |    |                              ^
 |    |                              |
 |    |                              GET_SECRET
 |    |                              |
 |    *------------------------------+----------------------
 |                                   |
 |                                   |
 |    hush-house namespace ----------+----------------------
 |    |                              |  
 |    |                              |   (access to all team namespaces)
 |    |                              |
 |    |             ATC ---get_cred--*
 |    | 
 |    *-----------------------------------------------------

Acceptance Criteria

Thanks!
@cirocosta cirocosta changed the title Per-team credential management hh: per-team credential management Apr 26, 2019
This was referenced Apr 26, 2019
Open
Closed
@cirocosta
Copy link
Member Author

cirocosta commented May 3, 2019
edited
Loading

Unfortunately, with GKE we're not able to configure the OIDC authn provider - there's a feature request in their issue tracker https://issuetracker.google.com/issues/115687670 , but it's not there yet 😞

See dexidp/dex#1268 (comment) for response from the Dex side.

@ezhiryakov
Copy link

@cirocosta
It's time to return to this task.
GKE allow external oidc provider now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
size/medium
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cirocosta @scottietremendous @ezhiryakov