[ENH] - Use GitHub secrets instead of Vault #2835

marcelovilla · 2024-11-08T10:27:57Z

We're currently relying on Vault, hosted on HashiCorp Cloud Platform, to read secrets for our GHA workflows. For example:

Lines 61 to 70 in 855aa14

	- name: Retrieve secret from Vault
	uses: hashicorp/[email protected]
	with:
	method: jwt
	url: "https://quansight-vault-public-vault-b2379fa7.d415e30e.z1.hashicorp.cloud:8200"
	namespace: "admin/quansight"
	role: "repository-nebari-dev-nebari-role"
	secrets: \|
	kv/data/repository/nebari-dev/nebari/amazon_web_services/nebari-dev-ci role_name \| AWS_ROLE_ARN;
	kv/data/repository/nebari-dev/nebari/cloudflare/[email protected]/nebari-dev-ci token \| CLOUDFLARE_TOKEN;

In the previous months, our Vault configuration has broken, resulting in failing GHA jobs when trying to read secrets. Here's a recent example: https://github.com/nebari-dev/nebari/actions/runs/11628815929/job/32384643624#step:5:32

I think we could simplify our secret management logic and use GitHub secrets instead.

Migrating from Vault to GitHub secrets would reduce the maintenance burden and avoid jobs failing because of a broken Vault configuration.

No response

Adam-D-Lewis · 2024-11-11T16:21:19Z

We talked about this in the maintainers meeting this morning and were in favor of this change.

marcelovilla added type: enhancement 💅🏼 New feature or request area: CI/CD 👷🏽‍♀️ labels Nov 8, 2024

github-project-automation bot added this to 🪴 Nebari Project Management Nov 8, 2024

github-project-automation bot moved this to New 🚦 in 🪴 Nebari Project Management Nov 8, 2024

marcelovilla mentioned this issue Nov 8, 2024

[ENH] Move Vault secrets and provider auth to custom action #2756

Closed

10 tasks

marcelovilla added the good first issue Good for newcomers label Nov 12, 2024

marcelovilla assigned smokestacklightnin Nov 13, 2024

Provide feedback