3c5fa979a4
Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com>
47 lines
1.5 KiB
ReStructuredText
47 lines
1.5 KiB
ReStructuredText
|
|
.. mab1596215747624
|
|
.. _security-vault-overview:
|
|
|
|
==============
|
|
Vault Overview
|
|
==============
|
|
|
|
|prod| integrates open source Vault containerized security application
|
|
\(Optional\) into the |prod| solution, that requires |PVCs| as a storage
|
|
backend to be enabled.
|
|
|
|
Vault is a containerized secrets management application that provides
|
|
encrypted storage with policy-based access control and supports multiple
|
|
secrets storage engines and auth methods.
|
|
|
|
|prod| includes a Vault-manager container to handle initialization of the
|
|
Vault servers. Vault-manager also provides the ability to automatically
|
|
unseal Vault servers in deployments where an external autounseal method
|
|
cannot be used. For more information, see, `https://www.vaultproject.io/
|
|
<https://www.vaultproject.io/>`__.
|
|
|
|
There are two methods for using Vault secrets with hosted applications:
|
|
|
|
|
|
.. _security-vault-overview-ul-ekx-y4m-4mb:
|
|
|
|
- The first method is to have the application be Vault Aware and retrieve
|
|
secrets using the Vault REST API. This method is used to allow an
|
|
application to write secrets to Vault, provided the applicable policy gives
|
|
write permission at the specified Vault path.
|
|
|
|
.. xbooklink
|
|
|
|
For more information, see |usertasks-doc|: :ref:`Vault Aware <vault-aware>`.
|
|
|
|
|
|
- The second method is to have the application be Vault Unaware and use
|
|
the Vault Agent Injector to make secrets available on the container
|
|
filesystem.
|
|
|
|
.. xbooklink
|
|
|
|
For more information, see, |usertasks-doc|: :ref:`Vault Unaware <vault-unaware>`.
|
|
|
|
|