Banzai Cloud Pipeline uses HashiCorp Vault to generate and manage Secrets inside the controlplane and also on the provisioned clusters. This gives us the ability to generate dynamic credentials (like TLS certificates, and database passwords, tokens) and to protect our data in a centralized way with proper encryption.

The platform stores all confidental and sensitive data inside Vault like: cloud provider credentials, database passwords, image registry credentials and TLS certificate bundles for Kubernetes cluster creation.

Vault is installed and configured as part of Banzai Cloud Pipeline with the open-source Bank-Vaults project. However Vault can be installed on Pipeline managed clusters as well.

The Bank-Vaults cluster feature

One of the most powerful features of the Bank-Vaults project is injecting secrets directly into Pods. This is achieved by installing a mutating webhook into the cluster which catches all (or the configured) Pod creations and injects a special binary which is configured to access Vault configured via Kubernetes annotations. The detailed documentation of this feature can be found in the repository.

Pipeline offers a Bank-Vaults feauture which installs and configures this webhook in a target cluster. It can also configure a defined Vault instance to be able to serve your Secrets to the webhook properly. There are two scenarios for this: - If no Vault URL is provided, the Pipeline Vault instance will be configured by means of policy and authentication - If a Vault URL is provided the Vault instance will be configured only if a Vault token with the required permissions is also provided by the user to mount a Kubernetes authentication backend and define policies in Vault. In case the token is not provided the URL will be still used, but the aforementioned configurations will become an exercise to the user.

To enable this feature it is required to enter a list of Kubernetes Service Accounts and Namespaces, since the authentication against Vault is based on Kubernetes Service Account Tokens. At least one Service Account has to be provided, but the namespaces can be left empty in which case all namespaces are authenticated.

The following policy will be added to Vault (if configured by Pipeline), which allows the defined Service Accounts in the cluster to read secrets from Vault:

path "secret/org/{orgID}/*" {
    capabilities = ["read", "list"]
}