Secrets - severalnines/ccx-admin-guide GitHub Wiki
Secrets
CCX stores sensitive information in the form of secrets.
Such secrets include:
- SSH Keys: to connect to the database cluster
- Database Credentials: to connect to the database cluster - this is shown to end-users in the UI
These secrets are stored using kubernetes secrets.
This provides great flexibility in terms of how the secrets are stored and managed, since kubernetes secrets, in addition to the default etcd storage, can be stored in a variety of backends, such as Hashicorp Vault, AWS KMS, Azure Key Vault, etc.
Migration
Prior to CCX 1.48 secrets were stored using Vault. This is being phased out in favor of kubernetes secrets.
The configuration for secrets is defined in the ccx values yaml, as follows:
ccx:
useK8sSecrets: true # or false for vault
If the above is set to true, then the secrets will be stored in kubernetes secrets. Existing secrets will be automatically migrated to kubernetes secrets.
Vault will no longer be required for CCX.
If not, then the secrets will be stored in Vault.
Notice: In the future vault will no longer be supported and the vault configuration will be discontinued.