[Sandbox] Bank-Vaults

[sagikazarmark]

Application contact emails

mark.sagikazar@gmail.com, team@bank-vaults.dev, ospo@cisco.com

Project Summary

Bank-Vaults is a set of tools covering many aspects of secret management in the Cloud Native ecosystem.

Project Description

Bank-Vaults is an umbrella project for Cloud Native secret management tools:

• Bank-Vaults CLI to make configuring Hashicorp Vault easier
• Vault operator to make operating Hashicorp Vault on top of Kubernetes easier
• Vault secrets webhook to inject secrets directly into Kubernetes pods
• Vault SDK to make working with Vault easier in Go
• and others

Bank-Vaults aims to help developers and SREs alike by covering the entire secret management pipeline from operating a secret store to injecting and using secrets in applications.

Org repo URL (provide if all repos under the org are in scope of the application)

https://github.com/bank-vaults

Project repo URL in scope of application

https://github.com/bank-vaults/bank-vaults

Additional repos in scope of the application

https://github.com/bank-vaults/vault-operator
https://github.com/bank-vaults/vault-secrets-webhook
https://github.com/bank-vaults/vault-sdk
https://github.com/bank-vaults/vault-helm-chart

Website URL

https://bank-vaults.dev

Roadmap

Roadmap

Roadmap context

The roadmap is still being defined. We are talking to users to figure out their needs and prioritize new features. We already have a number of items on the roadmap, but most of the effort is still going into the project migration from the banzaicloud GitHub organization.

One important goal for the near future is to broaden the scope of the project and add support for other secret management solutions than Hashicorp’s Vault.

Contributing Guide

https://bank-vaults.dev/docs/contributing/

Code of Conduct (CoC)

https://bank-vaults.dev/docs/code-of-conduct/

Adopters

https://github.com/bank-vaults/bank-vaults/blob/main/ADOPTERS.md

Contributing or Sponsoring Org

https://opensource.cisco.com

Maintainers file

https://github.com/bank-vaults/bank-vaults/blob/main/MAINTAINERS.md

IP Policy

• If the project is accepted, I agree the project will follow the CNCF IP Policy

Trademark and accounts

• If the project is accepted, I agree to donate all project trademarks and accounts to the CNCF

Why CNCF?

The CNCF hosts a vibrant and diverse community of developers and organizations. Contributing to this ecosystem allows the Bank-Vaults to attract more contributors, leading to better and faster improvements. Furthermore, the CNCF is able to provide a vendor neutral home for the project, allowing for collaboration among various vendors, fostering the creation of a solution that delivers collective benefits to all stakeholders within the ecosystem.

Benefit to the Landscape

Bank-Vaults is a well-known solution in the Cloud Native ecosystem. It’s been around longer than most of the competing projects (in fact, Bank-Vaults served as an inspiration for some of them). When looking at secret management solutions in the Cloud Native ecosystem (particularly Kubernetes), Bank-Vaults represents one of the established models for application secret management.

Cloud Native 'Fit'

Bank-Vaults best fits under the Security & Compliance category.

Cloud Native 'Integration'

The project does not depend on any CNCF projects per se. It uses various libraries (for example from Kubernetes). It primarily depends on Hashicorp Vault at the moment.

Cloud Native Overlap

There is no strong overlap with existing solutions. There are other secret management solutions in the CNCF landscape (for example External Secrets Operator), but it takes a fundamentally different approach to managing secrets. Also, Bank-Vaults has a much broader scope (for example has an operator for managing Vault on Kubernetes in addition to managing secret injection).

Similar projects

The aforementioned External Secrets Operator is what’s closest within the CNCF.

DoiT has a secrets-init component that’s basically a fork of the Vault secrets webhook implementing the same functionality for AWS and GCP secret managers (something that we also plan to add):

https://github.com/doitintl/secrets-init
https://github.com/doitintl/kube-secrets-init

(It’s basically unmaintained at this point)

Another tool based on Bank-Vaults’ webhook: https://github.com/innovia/secrets-consumer-webhook

Another similar tool (basically unmaintained): https://github.com/OT-CONTAINER-KIT/k8s-vault-webhook

Landscape

No

Business Product or Service to Project separation

N/A

Project presentations

Automating secret rotation in Kubernetes:
https://fosdem.org/2023/schedule/event/container_kubernetes_secret_rotation/

Automate Secret Rotation in Kubernetes, Then Get Out of the Way!:
https://www.youtube.com/watch?v=NTdyznb6Lc4

Project champions

@sagikazarmark
@justaugustus

Additional information

No response

[nikhita]

@sagikazarmark can you also present bank-vaults at a TAG Security meeting? Thanks!

[sagikazarmark]

@nikhita sure thing!

I opened an issue as per the TAG guidelines: cncf/tag-security#1103

[sagikazarmark]

@nikhita FYI I haven't received an answer for my presentation request yet. I tried to follow the process outlined in the tag-security repository. If you can help me find the right person/accelerate our request, that would be great.

Update: I managed to get a slot on the Sept 6th meeting.

Thanks!

[anvega]

Hey, I just wanted to chime in and say thanks to @sagikazarmark for presenting to TAG Security. It's very neat what Bank Vaults is doing. It's super cool how they've made the painful aspects of setting up and managing HashiCorp Vault a breeze, alleviating a lot of the complexities that can drive ops teams crazy. I've been a long fan of their approach to secret injection using mutating webhooks and an init container over Kubernetes Secrets or custom sidecars that was pioneered by them years ago in their time at Banzai Cloud and is now being contributed to the broader community under open governance. The other noteworthy feature set is the support for swappable encrypted backends to come with it.

And on a more official note, the TAG is supportive of the project's inclusion in the CNCF. This project is a game changer in advancing secrets management in the open. Its admission as a sandbox project will lend the opportunity to give it a closer look and help sharpen the value prop on how it does things that can't be done with Vault alone. Additionally, it will provide the opportunity for resourcing and tighter collaboration for us to assist in producing a detailed security assessment including a threat model asset.

The project team has expressed their intention to sign their release artifacts, which is a positive step towards enhancing security. We strongly encourage them to prioritize this aspect in the near term, along with considering other security practices outlined in the OpenSSF Best Practices. It's an opportune time to assess which practices are already in place and to work towards implementing those that are not yet addressed.

Last, it's worth noting that the project has demonstrated due diligence regarding license compliance and is in communication with the appropriate contacts within the CNCF to ensure alignment.

[sagikazarmark]

Thank you @anvega !

As said on the call, enhancing our supply chain security is on the roadmap, but it kinda stalled due to some of the tooling being overly complex in our opinion.

We would be happy to collaborate with the TAG on that as well as the threat assessment exercise mentioned on the call.

I've set up a board for tracking improvements to supply chain security: Supply chain security improvements

[TheFoxAtWork]

@sagikazarmark Thank you for applying! We've placed this project in postponed status.

Given the project's only current integration is with Hashicorp Vault, the TOC requests this project integrate with other commercial and open source secrets management solutions before re-applying at a later date. LF Edge, for instance is working on a open source project that would be excellent to integrate with once there is code in that repo.Z

When you are ready to reapply, please update the application and tag myself or @amye so we may return it to the queue.

[sagikazarmark]

@TheFoxAtWork thank you for your reply and consideration!

We are actually working on a number of integrations with other secret providers. We are also monitoring the aforementioned LF Edge project.

[pdecat]

FYI, there's a fork of Hashicorp Vault named OpenBao happening at LF Edge:

• https://github.com/openbao/openbao/ (current work is in development branch)
• https://wiki.lfedge.org/display/OH/Hashicorp+Vault+Replacement+Feature+Design+Candidate

[sagikazarmark]

Thanks @pdecat! I already reached out to them.

[amye]

Checking in here, should this be closed or returned for review?

[TheFoxAtWork]

Should be closed until the project advances integration of other commercial and open source secrets management solutions. Steps if that were to occur are captured in the same area

a. If the project has had substantial changes to the original information provided, open a new issue and link to the previous issue in the Additional information question (last question on the form). The project will be reviewed as if it were a new project applying but retain the historical context of the previous review to assist in evaluation.

b1. If the project has had no substantial changes, the originator of the issue may reopen it and provide a brief status update that addresses the TOC closure comments with a comment Revisit Ready. The TOC or staff will apply the Returning label and place the issue in the Upcoming status for discussion at the next meeting.

b1 is more likely here.

[sagikazarmark]

@TheFoxAtWork @amye, here is a brief project update:

• Support both OpenBao and HashiCorp Vault (where applicable)
• New unseal options for OpenBao/Vault
  • OCI (Oracle Cloud)
  • Azure
• New secret injection providers
  • OpenBao
  • AWS (both SM and SSM)
  • GCP
  • Azure
• Providers in progress
  • Bitwarden
  • Infisical

We've also made the project less reliant on Vault concepts in general and added or improved new components. The project became a whole ecosystem for secret management on Kubernetes, providing a viable alternative to using Kubernetes Secrets.

We've collected a more detailed list of changes here.

We ask that you consider revisiting the project in an upcoming review session.

We are also happy to provide an in-depth review of the changes we made in the last couple months.

Thanks!

[TheFoxAtWork]

@jeefy @mrbobbytables do we have space to add this to the June 11mtg since it's a returning project? Cc: @nikhita

[ramizpolic]

@TheFoxAtWork do we have any news on this? if approved, should we also present the changes made since the last review meeting? thanks a lot!

[jberkus]

TAG-CS Check:

• Has a pretty good contributor guide, including small docs for maintainers and developers
• Has security reporting guide
• Does not have written governance yet
• Has 6 maintainers, 3 from Cisco and 3 from various other employers

[mrbobbytables]

Follow-up from today's sandbox review, Bank-Vaults will be moved to a vote 👍
/vote

[git-vote]

Vote created

@mrbobbytables has called for a vote on [Sandbox] Bank-Vaults (#54).

The members of the following teams have binding votes:

Team
@cncf/cncf-toc

Non-binding votes are also appreciated as a sign of support!

How to vote

You can cast your vote by reacting to this comment. The following reactions are supported:

In favor	Against	Abstain
👍	👎	👀

Please note that voting for multiple options is not allowed and those votes won't be counted.

The vote will be open for 2months 30days 2h 52m 48s. It will pass if at least 66% of the users with binding votes vote In favor 👍. Once it's closed, results will be published here as a new comment.

[TheFoxAtWork]

/check-vote

[git-vote]

Vote status

So far 36.36% of the users with binding vote are in favor (passing threshold: 66%).

Summary

In favor	Against	Abstain	Not voted
4	0	0	7

Binding votes (4)

User	Vote	Timestamp
dims	In favor	2024-06-11 22:50:26.0 +00:00:00
rochaporto	In favor	2024-06-12 9:10:54.0 +00:00:00
TheFoxAtWork	In favor	2024-06-12 14:26:59.0 +00:00:00
nikhita	In favor	2024-06-14 5:49:02.0 +00:00:00
@angellk	Pending
@mauilion	Pending
@linsun	Pending
@dzolotusky	Pending
@kevin-wangzefeng	Pending
@cathyhongzhang	Pending
@kgamanji	Pending

Non-binding votes (27)

User	Vote	Timestamp
csatizs	In favor	2024-06-11 17:34:19.0 +00:00:00
pbalogh-sa	In favor	2024-06-12 7:04:48.0 +00:00:00
mh013370	In favor	2024-06-12 7:20:55.0 +00:00:00
ramizpolic	In favor	2024-06-12 8:25:33.0 +00:00:00
csendesm	In favor	2024-06-12 8:32:35.0 +00:00:00
pregnor	In favor	2024-06-12 10:34:53.0 +00:00:00
arpad-csepi	In favor	2024-06-12 10:35:53.0 +00:00:00
Laci21	In favor	2024-06-12 10:39:59.0 +00:00:00
kerezsiz42	In favor	2024-06-12 10:41:00.0 +00:00:00
waynz0r	In favor	2024-06-12 10:49:21.0 +00:00:00
asdwsda	In favor	2024-06-12 10:50:43.0 +00:00:00
szykes	In favor	2024-06-12 10:58:45.0 +00:00:00
zsoltkacsandi	In favor	2024-06-12 11:19:33.0 +00:00:00
bonifaido	In favor	2024-06-12 11:40:50.0 +00:00:00
adamtagscherer	In favor	2024-06-12 11:51:15.0 +00:00:00
hi-im-aren	In favor	2024-06-12 11:51:44.0 +00:00:00
lpuskas	In favor	2024-06-12 12:01:04.0 +00:00:00
paralta	In favor	2024-06-12 12:31:22.0 +00:00:00
HelmiRdh	In favor	2024-06-12 13:23:19.0 +00:00:00
matewolf	In favor	2024-06-12 14:43:10.0 +00:00:00
csatib02	In favor	2024-06-12 15:03:58.0 +00:00:00
sando38	In favor	2024-06-12 15:06:02.0 +00:00:00
lgecse	In favor	2024-06-13 6:16:45.0 +00:00:00
akijakya	In favor	2024-06-13 12:13:45.0 +00:00:00
azsejkib	In favor	2024-06-14 21:13:11.0 +00:00:00
BognarMate	In favor	2024-06-15 19:42:18.0 +00:00:00
chrism417	In favor	2024-06-17 0:39:36.0 +00:00:00

[mrbobbytables]

/check-vote

[git-vote]

Votes can only be checked once a day.

[git-vote]

Vote closed

The vote passed! 🎉

72.73% of the users with binding vote were in favor (passing threshold: 66%).

Summary

In favor	Against	Abstain	Not voted
8	0	0	3

Binding votes (8)

User	Vote	Timestamp
@dzolotusky	In favor	2024-06-18 4:06:48.0 +00:00:00
@dims	In favor	2024-06-11 22:50:26.0 +00:00:00
@TheFoxAtWork	In favor	2024-06-12 14:26:59.0 +00:00:00
@nikhita	In favor	2024-06-14 5:49:02.0 +00:00:00
@angellk	In favor	2024-06-17 14:47:00.0 +00:00:00
@kevin-wangzefeng	In favor	2024-06-18 2:00:12.0 +00:00:00
@kgamanji	In favor	2024-06-18 6:37:24.0 +00:00:00
@rochaporto	In favor	2024-06-12 9:10:54.0 +00:00:00

Non-binding votes (33)

User	Vote	Timestamp
@csatizs	In favor	2024-06-11 17:34:19.0 +00:00:00
@pbalogh-sa	In favor	2024-06-12 7:04:48.0 +00:00:00
@mh013370	In favor	2024-06-12 7:20:55.0 +00:00:00
@ramizpolic	In favor	2024-06-12 8:25:33.0 +00:00:00
@csendesm	In favor	2024-06-12 8:32:35.0 +00:00:00
@pregnor	In favor	2024-06-12 10:34:53.0 +00:00:00
@arpad-csepi	In favor	2024-06-12 10:35:53.0 +00:00:00
@Laci21	In favor	2024-06-12 10:39:59.0 +00:00:00
@kerezsiz42	In favor	2024-06-12 10:41:00.0 +00:00:00
@waynz0r	In favor	2024-06-12 10:49:21.0 +00:00:00
@asdwsda	In favor	2024-06-12 10:50:43.0 +00:00:00
@szykes	In favor	2024-06-12 10:58:45.0 +00:00:00
@zsoltkacsandi	In favor	2024-06-12 11:19:33.0 +00:00:00
@bonifaido	In favor	2024-06-12 11:40:50.0 +00:00:00
@adamtagscherer	In favor	2024-06-12 11:51:15.0 +00:00:00
@hi-im-aren	In favor	2024-06-12 11:51:44.0 +00:00:00
@lpuskas	In favor	2024-06-12 12:01:04.0 +00:00:00
@paralta	In favor	2024-06-12 12:31:22.0 +00:00:00
@HelmiRdh	In favor	2024-06-12 13:23:19.0 +00:00:00
@matewolf	In favor	2024-06-12 14:43:10.0 +00:00:00
@csatib02	In favor	2024-06-12 15:03:58.0 +00:00:00
@sando38	In favor	2024-06-12 15:06:02.0 +00:00:00
@lgecse	In favor	2024-06-13 6:16:45.0 +00:00:00
@akijakya	In favor	2024-06-13 12:13:45.0 +00:00:00
@azsejkib	In favor	2024-06-14 21:13:11.0 +00:00:00
@BognarMate	In favor	2024-06-15 19:42:18.0 +00:00:00
@chrism417	In favor	2024-06-17 0:39:36.0 +00:00:00
@jeffnyman	In favor	2024-06-17 17:00:12.0 +00:00:00
@ivesiure	In favor	2024-06-17 17:02:52.0 +00:00:00
@khaigh	In favor	2024-06-17 17:10:16.0 +00:00:00
@heathmills	In favor	2024-06-17 17:44:47.0 +00:00:00
@jmwinn21	In favor	2024-06-17 18:14:36.0 +00:00:00
@Tehsmash	In favor	2024-06-18 7:44:34.0 +00:00:00

[Cmierly]

Hello and congrats on being accepted as a CNCF Sandbox project!

Here is the link to your onboarding task list: #142

Feel free to reach out with any questions you might have!