The module is available only in Deckhouse Enterprise Edition.
How to enable the module
The module can be enabled by applying ModuleConfig:
or by executing the command:
kubectl -n d8-system exec deploy/deckhouse -c deckhouse -it -- deckhouse-controller module enable stronghold
By default, the module will run in the
Automatic mode with the
In the current version, there are no other inlets and modes.
How to access the service
Access to the service is provided through inlets. Currently, only one inlet, Ingress, is available.
The web interface address for Stronghold is formed as follows: in the template publicDomainTemplate of the Deckhouse global configuration parameter, the
%s placeholder is replaced with
For example, if the
publicDomainTemplate is set to
%s-kube.company.my, than the Stronghold web interface will be accessible at the address
Data Storage. Operating Modes.
The data stored in Stronghold is encrypted. To decrypt the storage data, an encryption key is required. The encryption key is also stored with the data (as part of key bundles), but it is encrypted with another encryption key known as the root key. To decrypt Stronghold data, it is necessary to decrypt the encryption key, which requires the root key. Unsealing the storage is the process of gaining access to this root key. The root key is stored along with all other storage data but is encrypted with another mechanism: the unseal key.
In the current version of the module, there is only the
Automatic mode, in which the storage is automatically initialized during the first module launch. During the initialization process, the unlocking key and root token are both placed into the
stronghold-keys secret in the
d8-stronghold namespace in the Kubernetes cluster. After the initialization, the module automatically unseals the nodes of the Stronghold cluster.
In the automatic mode, in the event of a restart of Stronghold nodes, the storage will also be automatically unsealed without manual intervention.
The role named
deckhouse_administrators is created after storage initialization using the
Automatic mode of the Stronghold module. This role is granted access to the web interface through OIDC authentication via Dex.
Additionally, the automatic connection of the current Deckhouse cluster to Stronghold is configured. This is necessary for the operation of the secrets-store-integration module.
To provide access to the users with the
admins group membership (group membership is conveyed from the used IdP or LDAP via Dex), you need to specify this group in the
administrators array in the ModuleConfig:
- type: Group
To grant administrator rights to users with roles
securityoperator, you can use the following parameters in the ModuleConfig:
- type: User
- type: User
If needed, you can create users in Stronghold with different access rights to secrets using the built-in storage mechanisms.