(WIP/DRAFT) Docs/hashicorp key management.md #114
Conversation
For the plugins specifically, Have not listed the old `.2` version as that does not include the full suite of plugins (missing hashicorp)
tools/mariadb-enterprise-operator/plugins/hashicorp-key-management.md
Outdated
Show resolved
Hide resolved
|
|
||
| plugin_load_add = hashicorp_key_management | ||
| hashicorp-key-management-vault-url=http://vault-0.vault-internal.vault.svc.cluster.local:8200/v1/mariadb # Change to your Vault URL. | ||
| hashicorp-key-management-token=EXAMPLE_TOKEN # This needs to be changed to your token |
There was a problem hiding this comment.
Alternatively, we can supply the HashiCorp configuration in a Secret, and use the volumes and volumeMounts to mount it under /etc/mysql/mariadb.conf.d/
There was a problem hiding this comment.
We could explore extending the operator to support myCnfSecretKeyRef in further iterations, to achieve this in a more native way.
There was a problem hiding this comment.
Ah, tunnel visioned here. I was literally working with Secret Mounts for ldap, yet forgot I can use them for this too. Thanks, that is perfect
| max_allowed_packet=256M | ||
|
|
||
| plugin_load_add = hashicorp_key_management | ||
| hashicorp-key-management-vault-url=http://vault-0.vault-internal.vault.svc.cluster.local:8200/v1/mariadb # Change to your Vault URL. |
There was a problem hiding this comment.
We should include a hashicorp-key-management-vault-ca to establish the TLS trust:
https://mariadb.com/docs/server/security/securing-mariadb/encryption/data-at-rest-encryption/key-management-and-encryption-plugins/hashicorp-key-management-plugin#hashicorp-key-management-vault-ca
| 3. **(Optional) Create An Authentication Token.** | ||
| This step can be skipped if you want to use your own token. Consult with a Vault administrator regarding this. If you want to create a new one: | ||
| ```sh | ||
| vault token create |
There was a problem hiding this comment.
Although the plugin documentation says:
Authentication is done using the Hashicorp Vault's token authentication method
This will be a static token, something not desirable by any security team. We could stick to this instructions, but additionally refer to the other available Vault authentication methods, which allow you to generate a short-lived Vault token. For example, the approle one can generate a Vault token based on a acces id and secret key:
https://developer.hashicorp.com/vault/docs/auth/approle
So the user could authenticate with any of the supported methods by Vault, and obtain a Vault token, rather than creating a static token.
There was a problem hiding this comment.
Technically, yes. But regarding short-lived tokens, that is impossible without interruption... I do have a better approach tho, will update
There was a problem hiding this comment.
approle will be a problem too, unless it has 0 ttl, which wouldn't really be any different from tokens I believe.
| token_accessor 9sHvwKiddpCT2PaplcHHRAnv | ||
| token_duration ∞ | ||
| token_renewable false | ||
| token_policies ["root"] |
There was a problem hiding this comment.
Ideally, we should have a custom policy that allows all operations under the /mariadb/* keys, rather than in the entire Vault.
There was a problem hiding this comment.
I know this is done like this in the blog, but it is far from ideal.
Besides, the plugin is not configuring any authentication method nor anything global in vault, it just reads keys under a kv path, so their permissions should be scoped to /mariadb/*.
There was a problem hiding this comment.
Yeah, the dev server didn't care for policies 😄 But now since we want a TLS example I had to spin up a standalone instance and a custom policy was a must.
| ``` | ||
| If you check the encrpytion status again: | ||
| ```sql | ||
| SELECT * from information_schema.INNODB_TABLESPACES_ENCRYPTION; |
There was a problem hiding this comment.
Could we share the output of this query?
Additionally, as described in this blog, we can show that the /var/lib/mysql/*/*.ibd is actually encrypted.
There was a problem hiding this comment.
Regarding the blog, I couldn't reproduce that... something must have changed.
| ```sql | ||
| SELECT * from information_schema.INNODB_TABLESPACES_ENCRYPTION; | ||
| ``` | ||
| You should see `CURRENT_KEY_VERSION` column start getting updated to point to the new key version. |
There was a problem hiding this comment.
Show an example output of this CURRENT_KEY_VERSION
tools/mariadb-enterprise-operator/plugins/hashicorp-key-management.md
Outdated
Show resolved
Hide resolved
|
|
||
| ## Day-2 Ops | ||
|
|
||
| ### Rotating Secrets. |
There was a problem hiding this comment.
This is way better than what the file encryption plugin:
https://mariadb.com/resources/blog/mariadb-encryption-tde-using-mariadbs-file-key-management-encryption-plugin/
Do you see any benefit of supporting the file encryption plugin at this point?
There was a problem hiding this comment.
I feel like we are lacking in options. The file key management plugin is not production ready, while vault is great, but it's the only option right now.
At the same time, for some customers that file key management plugin could be a good option.
This commit is a work in progress, just pushing some changes while @ KCD
No description provided.