Support multiple Vault secret engine per connector
in progress
G
Gray Deer
It seems the Vault connector is about making Vault API call to fetch the secrets using the Vault token, and the same Vault token can actually be used to fetch secrets from different Vault secrets engines at the same time. Therefore, supporting a 1:n mapping between Vault connector and Vault secrets engines would be ideal and feasible.
Log In
This post was marked as
in progress
Prateek Mittal
next fiscal quarter
G
Gray Deer
Prateek Mittal
Hi Prateek
We are looking to implement an account level custom secret manager as our Vault connector. This is because the shell script that we use to connect to Vault is common among all projects and therefore the connector can be put at account level as a template shared by all projects. The pipelines in each project will still run on the delegates within each project, and when the pipelines fetch secrets, the account level Vault connector will be used.
I am passing on an inquiry that was raised by our team.
Given that the pipelines from all projects, when fetching every secret, will consume this Vault connector, should we worry about the connector being a bottleneck? The argument is that, the connector will be accessed from a Harness API call for its invocation. When all projects have pipelines that run on their own delegates but want to access the same account level connector, is the number of Harness API call / invocations something that can become a problem?
In my view, even if we create the custom secret manager at project level by copying the same template across all projects, the number of Harness API call to access the connector won't reduce. At the same time, we already have other account level connectors in place for other functionality and they have been accessed by all projects without any issue so far.
Hope we can get some clarification. Thank you.
Prateek Mittal
Gray Deer: The connector logic is same for all the connectors, if you are already have other account level connectors in place for other functionality this should also not have any impact from Harness side. The only issue I could foresee is if vault has any kind of rate limiting on their side.
G
Gray Deer
Prateek Mittal Thank you Prateek for confirming. We have in-house Vault team that will review our design and we will consult them on the Vault side of things.
Prateek Mittal
pending feedback
G
Gray Deer
Prateek Mittal: Hi Prateek
We tested via Harness GUI and it looks that we might be able to make it work.
Could you help us understand:
1 - Is there any API that supports:
a) create a secret manager template
b) create a custom secret manager connector
c) create a secret that uses a custom secret manager connector and accepts input variables
2 - Is there Harness Terraform Provider for the same a), b) and c)?
Prateek Mittal
Gray Deer: That's great news that custom secret manager will work for this.
- Secret manager template API - https://apidocs.harness.io/tag/Templates#operation/createTemplate
- Custom secret manager connector API - https://apidocs.harness.io/tag/Connectors#operation/createConnector
This API accepts "CustomSecretManager" as one of the parameter.
- Create a secret - https://apidocs.harness.io/tag/Account-Secret#operation/create-account-scoped-secret
Terraform provider -
- Template - https://registry.terraform.io/providers/harness/harness/latest/docs/resources/platform_template
- Secret text - https://registry.terraform.io/providers/harness/harness/latest/docs/data-sources/platform_secret_text
- I couldn't find the terraform for custom secret manager and will follow up internally on the same.
Let me know if you are looking for any other information.
Prateek Mittal
Gray Deer: That's great news that custom secret manager will work for this.
- Secret manager template API - https://apidocs.harness.io/tag/Templates#operation/createTemplate
- Custom secret manager connector API - https://apidocs.harness.io/tag/Connectors#operation/createConnector
This API accepts "CustomSecretManager" as one of the parameter.
- Create a secret - https://apidocs.harness.io/tag/Account-Secret#operation/create-account-scoped-secret
Terraform provider -
- Template - https://registry.terraform.io/providers/harness/harness/latest/docs/resources/platform_template
- Secret text - https://registry.terraform.io/providers/harness/harness/latest/docs/data-sources/platform_secret_text
- I couldn't find the terraform for custom secret manager and will follow up internally on the same.
Let me know if you are looking for any other information.
G
Gray Deer
Prateek Mittal Hi Prateek
We encountered some issues when following the Harness documentation to create secrets (at project level) that use the custom secret manager connector.
1 - Harness API
This /v1/secrets API - https://apidocs.harness.io/tag/Project-Secret#operation/create-project-scoped-secret - it only supports a secret value type of either "Inline" or "Reference" so it can't be used for secrets that use a custom secret manager connector. However, we found out by testing that the Harness /v2/secrets API can support the secret value type of "CustomSecretManagerValues". Could you confirm with your technical team that /v2/secrets is the right one to use?
2 - Harness Terraform Provider
We followed this page - https://registry.terraform.io/providers/harness/harness/latest/docs/resources/platform_secret_text - The required field "value_type" allows either "reference" or "inline". Using any other value_type will result in this error "expected value_type to be one of [Reference Inline]". Could you check with your team whether there is Harness Terraform Provider for creating text secrets using a custom secret manager connector?
This is important to us as we are using Terraform to manage all the Harness secrets at project level, and we would like to keep doing it when we introduce custom secret manager.
Prateek Mittal
Gray Deer: V2/secrets is the right API to use.
I have raised a request to support the terraform provider for
custom secrets manager.
G
Gray Deer
Prateek MittalThank you Prateek for raising a request.
To be precise, we would like to ask that CustomSecretManagerValues type can be added here
G
Gray Deer
Prateek Mittal thank you for raising the request for us. Could you share the feature ticket number for our reference?
Prateek Mittal
Gray Deer: The internal ticket reference is PL-46767.
G
Gray Deer
Prateek MittalHi Prateek, is there a response from your internal team to acknowledge our request?
Prateek Mittal
Gray Deer: Yes, this has been added to our roadmap already.
G
Gray Deer
Prateek Mittal Thank you Prateek. Is there any ETA forecast in terms of this being released early/mid/late next quarter? So that we can plan our delivery accordingly.
Prateek Mittal
Gray Deer: It is being added to our next quarter plan with an ETA for end of next quarter. I will try to expedite it for an early release.
B
Bronze Firefly
Prateek Mittal were you able to have PL-46767 expedited? I understand it is quite straightforward to implement.
Prateek Mittal
Hi Zita,
Thanks for the call yesterday and going over the requirement.
I discussed internally and we believe the above request can be solved by using custom secrets manager. A custom secret manager uses a shell script that you can execute either on a Harness delegate or on a remote host that can connect to the delegate. Harness fetches and reads your secrets from the vault secret manager through this shell script.
G
Gray Deer
Prateek Mittal: Hi Prateek, I will give the custom secrets manager a try.
Prateek Mittal
Gray Deer: Thanks. Please let me know the feedback based on your testing.
Prateek Mittal
under review