Implementation of a Centralized Secret Storage for an Agricultural IT Company
Project Description
The client is an IT company specializing in solutions for agriculture. The company's main directions are related to the development of autonomous agricultural systems, topographic surveying of terrain with drones, and analysis of vegetation condition based on the images obtained.
Client's Main Requests: Implement a centralized secret storage within the company. The company started actively working with external contractors, which necessitated a radical review of approaches to the security of tokens, passwords, and other sensitive data. Integrate centralized secret storage with Gitlab CICD and several key systems in self-hosted Kubernetes, including JupiterHub.
Client's Main Requests: Implement a centralized secret storage within the company. The company started actively working with external contractors, which necessitated a radical review of approaches to the security of tokens, passwords, and other sensitive data. Integrate centralized secret storage with Gitlab CICD and several key systems in self-hosted Kubernetes, including JupiterHub.
Key Metrics
- 6 internal teams
- 10+ subcontractors working with sensitive data
Key Challenges and Results
After discussing with the client, conducting a full audit of its infrastructure and the peculiarities of working with secrets, we settled on Hashicorp Vault as the most suitable solution.
We deployed Hashicorp Vault in the community edition as two independent clusters with indirect replication between them, creating production and test zones. The next key challenge in the task was not so much the physical implementation of the solution but the integration into typical business processes, creating access matrices, typical roles, and ensuring the migration of teams from disparate tools to a unified Vault.
As required by the Information Security department, we ensured a blocking mode for recording all API request logs to Vault. For this, we integrated the system with an existing cluster based on the ELK stack.
The delivery of secrets to pods was organized using Vault Agent Injector, which ensured several things: A strictly defined set of secrets injected into the working environment, including JupiterNotebook, used by external contractors. Complete logging of all requests to secrets Automatic rotation of secrets in databases and third-party information systems through the use of Vault's built-in mechanisms.
As a result of our work, the client received a centralized, transparent secret storage that significantly reduced the risks of accidental leaks of passwords, tokens, and other sensitive data due to random commits in the code or unauthorized access.
We deployed Hashicorp Vault in the community edition as two independent clusters with indirect replication between them, creating production and test zones. The next key challenge in the task was not so much the physical implementation of the solution but the integration into typical business processes, creating access matrices, typical roles, and ensuring the migration of teams from disparate tools to a unified Vault.
As required by the Information Security department, we ensured a blocking mode for recording all API request logs to Vault. For this, we integrated the system with an existing cluster based on the ELK stack.
The delivery of secrets to pods was organized using Vault Agent Injector, which ensured several things: A strictly defined set of secrets injected into the working environment, including JupiterNotebook, used by external contractors. Complete logging of all requests to secrets Automatic rotation of secrets in databases and third-party information systems through the use of Vault's built-in mechanisms.
As a result of our work, the client received a centralized, transparent secret storage that significantly reduced the risks of accidental leaks of passwords, tokens, and other sensitive data due to random commits in the code or unauthorized access.
Related services
Comprehensive IT and DevOps Audit Services | Boost Efficiency and Security
Enhance your IT operations with our comprehensive audit services, including it audit, it security audit, and devops audit. Ensure compliance, improve performance, and protect your data with our expert solutions.
Comprehensive CI/CD Services | CI Consulting & Automation | WiseOps
Optimize your software delivery with WiseOps' CI/CD services. From CI consulting to CD construction consulting, we offer continuous integration solutions and CI/CD as a service to streamline your development process. Contact us for professional CI/CD implementation and consulting.
Comprehensive Infrastructure Monitoring Services 24/7 | WiseOps Team
Enhance your IT infrastructure with our expert monitoring services, including network, cloud, server, and remote monitoring. Proactive and continuous oversight ensures maximum performance and security.
Containerization and Orchestration Services - WiseOps Team
Discover scalable and fault-tolerant containerization and orchestration services with WiseOps. Optimize resource usage and accelerate deployment with our expert solutions in container orchestration and service orchestration in cloud computing.
Comprehensive DevOps Security Services | Best Practices in DevOps Cyber Security and Automation
Protect your business with WiseOps Team's DevOps security services. We offer best practices in DevOps cyber security, automation, cloud security, and application security to safeguard your data and applications. Contact us today!