Skip to content

Latest commit

 

History

History
133 lines (92 loc) · 4.85 KB

SecretsManagement.md

File metadata and controls

133 lines (92 loc) · 4.85 KB

Secrets management with HashiCorp Vault Service

The client credentials, database passwords, access tokens are considered as secrets and they are usually kept in a vault. CatenaX have a central Hashicorp vault component to store these types of secrets and credentails to prevant from revealing them in a public source code repository to ensure security. These secrets are then utilized by Kubernetes resources through helm charts in a safe and secure manner.

At the time of writing this guide, ArgoCD was used to deploy the application. It accesses the secrets through its built-in vault plugins which solves the secret management issues with GitOps. Vault plugin internally uses a special vault token for authentication, retrieve actual secret values against their keys and subsitute them in a deployment.

Further read about ArgoCD valut plugin here: ArgoCD vault plugin

MaterialPass team is allocated a vault space at HashiCorp Vault - Material Pass .

To access a material pass vault space, a vault token is required

Vault contents:

  • edc/oauth#api.key
  • edc/participant#bpnNumber
  • backend/#signKey
  • backend#clientId
  • backend#clientSecret
  • oauth#realm
  • oauth#appId
  • oauth#xApiKey

To put a secret from vault, a special pattern is followed in helm values files:

<path:some/path#secret-key#version>

Some examples below:

<path:material-pass/data/int/edc/vault#vault.hashicorp.url>
<path:material-pass/data/int/edc/vault#vault.hashicorp.url#1>

Note: /data/ path is always be placed after material-pass, though it is not defined in a vault directory structure. AVP uses this data path itself internally.

Local Run

Using Docker

If dpp frontend is run using docker, the following environment variables must be set in build and deploy script:

  • APP_VERSION
  • APP_API_MAX_RETRIES
  • API_SEARCH_TIMEOUT
  • API_NEGOTIATE_TIMEOUT
  • API_DECLINE_TIMEOUT
  • APP_API_DELAY
  • REPO_COMMIT_ID
  • REPO_ENDPOINT_URL
  • AUTH_ROLE_CHECK
  • AUTH_BPN_CHECK
  • AUTH_BPN_NUMBER
  • APP_PORTAL_URL
  • APP_ADMIN_EMAIL
  • APP_AUTO_SIGN
  • IDENTITY_PROVIDER_URL
  • HOST_URL
  • DATA_URL
  • KEYCLOAK_CLIENTID
  • KEYCLOAK_REALM
  • KEYCLOAK_ONLOAD
# run script
../buildAndDeploy.sh consumer-ui

Using Helm

The required variables must be set in values-*.yaml file manually.

Secrets Scanning

Veracode

Veracode upload-and-scan is used for secret scanning and scan results are then published in veracode dashboard once job is completed Static Application Serucity Testing

Git Guardian

Git Guardian tool is used to scan secrets within application. It is currently active in the repository and managed by SEC team.

Pre-commit Hook:

A client side git hook that runs prior to commit code changes.

Pre-push Hook:

A client-side git hook similar to pre-commit hook that runs right before code changes are pushed to a remote origin.

GitGuardian hooks are performed through ggshield utility. ggshield is a wrapper around GitGuardian API for secrets detection that requires an API key to work. Please refer the official documentation for more information here

Links

NOTICE

This work is licensed under the CC-BY-4.0.

  • SPDX-License-Identifier: CC-BY-4.0
  • SPDX-FileCopyrightText: 2022, 2024 BMW AG
  • SPDX-FileCopyrightText: 2022, 2024 Henkel AG & Co KGaA
  • SPDX-FileCopyrightText: 2023, 2024 CGI Deutschland B.V. & Co. KG
  • SPDX-FileCopyrightText: 2023, 2024 Contributors to the Eclipse Foundation
  • Source URL: https://github.com/eclipse-tractusx/digital-product-pass