Bank-Vaults is a thick, tricky, shifty right with a fast and intense tube for experienced surfers only, located on Mentawai. Think heavy steel doors, secret unlocking combinations and burly guards with smack-down attitudes. Watch out for clean-up sets.
Bank-Vaults is a wrapper for the official Vault client with automatic token renewal, built in Kubernetes support, dynamic database credential management, multiple unseal options, automatic re/configuration and more.
At Banzai Cloud, we’ve been building an open source next generation platform as a service, called Pipeline, which is constructed on top of Kubernetes. With the Banzai Cloud Pipeline platform, we provision large, multi-tenant Kubernetes clusters on all major cloud providers, and deploy different workloads to these clusters. We needed to find an industry standards-based way for our users to publish and interact with protected endpoints, while simultaneously providing dynamic secrets management for all the applications we support, each of which is native
to Kubernetes. After several proof-of-concepts, we chose HashiCorp’s Vault, and we began to integrate our many Pipeline PaaS components. After awhile, work on this project (all of which is open sourced and available on GitHub) began to feel like reinventing
the wheel, so we decided to externalize all the enterprise grade security features into a new project. Welcome to Bank-Vaults.
Security series:
Authentication and authorization of Pipeline users with OAuth2 and Vault
Dynamic credentials with Vault using Kubernetes Service Accounts
Dynamic SSH with Vault and Pipeline
Secure Kubernetes Deployments with Vault and Pipeline
Policy enforcement on K8s with Pipeline
The Vault swiss-army knife
The Banzai Cloud Vault Operator
Vault unseal flow with KMS
Kubernetes secret management with Pipeline
Container vulnerability scans with Pipeline
Kubernetes API proxy with Pipeline
Credit to HashiCorp for open sourcing Vault and making secret management easier and more secure. This project would not have been possible without the open source community.
We repeatedly push large deployments to different cloud providers, all of which are automated and managed by Pipeline and use Kubernetes. However, we purposefully designed Bank-Vaults in such a way that it is able to operate independently of Kubernetes. Pushing out a secure deployment to the cloud or Kubernetes has a certain order or flow, and while we were repeatedly doing this we incorporated that feature in Bank-Vaults. At high level, the project is a CLI tool to manage and configure Vault, a Golang library on which to build functionality, a Kubernetes deployment using a Helm chart to deploy production ready HA Vault clusters, a Vault operator to manage the lifecycle of the cluster, and a collection of scripts to configure cloud instances.
Lets briefly review these features; for additional information and to get the code in question, please visit the project’s microsite or GitHub repository.
The bank-vaults
CLI tool helps automate the setup and management of Vault.
Features:
vault server -dev
dev mode Vault servers)For a list of external configurations, please visit the CLI tool’s site. Once a configuration YAML
is pushed with the CLI tool, we re/configure the Vault cluster in the backend, and apply those changes. Here are a few of our options:
This repository contains several Go packages for interacting with Vault:
auth
Note: This is currently WIP, we are extracting the code from https://github.com/banzaicloud/pipeline/tree/master/auth
vault
database
A helper for creating database source strings (MySQL/PostgreSQL) with database credentials dynamically based on configured Vault roles (instead of username:password
).
We have a fully fledged, production ready Helm chart for Vault that uses bank-vaults
. With the help of this chart, you can run a HA Vault instance with automatic initialization and unseal an external configuration, which used to be a tedious manual operation. In addition, this chart can easily be used for development purposes.
We have a Vault operator built on bank-vaults
with features such as:
-dev
modeWe have some interesting features in beta testing/the development pipeline, most of them tracked as GitHub issues, however, we’d like to mention one that’s particularly popular among our users:
We hope you’re as enthusiastic about this project as we are, and appreciate the effort we’ve put into securing our Pipeline PaaS. We take bank-vaults security and our users’ trust very seriously, so if you believe you have found a security issue in bank-vaults, please contact us at security@banzaicloud.com.