How HashiCorp Vault and Red Hat OpenShift can work together

In hybrid and multicloud environments, proper management of sensitive data-like secrets, credentials and certificates is critical to maintaining a robust security posture across Kubernetes clusters. While Kubernetes provides a Kube-native way to manage secrets, it’s generally understood that Kubernetes secrets are not particularly secret: they are base64 encoded and are accessible to cluster administrators. Additionally, anyone with privileges to create a pod in a specific namespace can access the secrets for that namespace. While at-rest protection can be provided by encrypting sensitive data stored in etcd, even stronger protection is provided by integrating an external secret manager with Red Hat OpenShift. HashiCorp Vault delivers enhanced security capabilities to Red Hat OpenShift by providing centralized secret management across a hybrid and multicloud Kubernetes infrastructure. 

As customers rapidly embrace cloud-native architectures and AI-infused workloads, complexity can invariably arise across increasingly hybrid environments, with respect to both management and security. The reality is that secrets–credentials that provide access to or within a system–are becoming more distributed and are at increased risk of secrets sprawl. Secrets such as usernames and passwords, TLS certificates, API tokens, database credentials and more are often stored insecurely, creating risk for data breaches, compliance issues and identity theft.

For hybrid and multicloud workloads, this challenge is exacerbated. Enterprises need consistent and scalable ways to manage their secrets across their lifecycle, and importantly, seek a solution that complements existing hybrid cloud application management. Red Hat OpenShift provides a comprehensive and consistent application platform trusted by thousands of customers for building, modernizing and managing traditional and cloud-native applications across any infrastructure. HashiCorp Vault with Red Hat OpenShift will enable more robust management of secrets at rest and in transit, comprehensive auditing, rich access control lists, with integrated support for multiple authentication methods across different cloud vendors, and dynamic secrets.

There are multiple ways to take advantage of HashiCorp Vault with Red Hat OpenShift. And the IBM and Red Hat teams have been working together to deliver additional supported options to help ensure that our joint customers have the best experience with our combined solutions. Here are the options available today, with a peek into our joint roadmap: 

• Vault Secrets Operator (VSO) provides an OpenShift-certified Kubernetes operator that syncs secrets and certificates from Vault to native Kubernetes secrets objects, decoupling application teams from secrets management and enabling SecOps teams to control secrets and their lifetimes. VSO tracks updates in Vault and can restart pods to stay fresh. Planned extensions will offer additional protection in transit, at rest and to the point of use in a Red Hat OpenShift and HashiCorp Vault environment.
• The Vault provider for the Secret Store CSI Driver offers an efficient, scalable path to sync secrets from Vault and other secrets stores into a shared volume. HashiCorp Vault’s provider will be certified and published to the Red Hat Ecosystem Catalog.
• The Vault Agent Sidecar Injector delivers secrets from HashiCorp Vault directly into application pods in Red Hat OpenShift for those organizations operating in regulated industries and using dynamic secrets.
• Using Vault PKI with cert-manager - Red Hat and IBM will offer a fully supported solution to connect Vault PKI to OpenShift via cert-manager. Certificates for both application and OpenShift platform services will be supported.
• Supported ESO integration - The External Secrets Operator (ESO) is a community-driven Kubernetes operator that integrates with secret management systems, including HashiCorp Vault, cloud-native secrets managers and others. Red Hat and IBM will provide a fully supported way for customers to use ESO to sync secrets from HashiCorp Vault into Red Hat OpenShift clusters.
• Kube KMS v2 integration - Encrypting sensitive cluster data at rest is important to the overall security posture of an OpenShift deployment. Red Hat and IBM will enable these encryption keys to be managed and controlled within Vault and made available for OpenShift to use without ever having to store the key locally within the cluster.
• Vault Config Operator - A fully-supported operator for deploying and configuring Vault on OpenShift will enable administration for the combined solution via Kubernetes-native GitOps workflows.

We look forward to delivering these joint enhancements, helping customers maintain a strong security posture for their Red Hat OpenShift platform and the applications deployed to it.

Want more information?

Secrets Store CSI:

Read about Red Hat OpenShift Container Platform and the secrets store CSI driver.

Check out Secrets Store CSI Driver documentation.

Explore Haschicorp’s tutorial for mounting Vault secrets through Container Storage Interface (CSI) volume.

cert-manager: 

Take a look at cert-manager documentation.

Learn about cert-manager operator for Red Hat OpenShift. 

Vault Secrets Operator:

Check out the vault secrets operator. 

External Secrets Operator:

Read about the external secrets operator.