Secrets and encryption management subsystem
| 🌐 This document is available in both English and Ukrainian. Use the language toggle in the top right corner to switch between versions. |
1. Overview
The Secrets and encryption management subsystem handles the encryption of sensitive registry data and synchronizes secrets upon request from the target registry services by creating and monitoring the ExternalSecret resource.
2. Subsystem functions
-
Storing the encryption/decryption keys.
-
Synchronizing and updating secrets between HashiCorp Vault storage and the container orchestration platform.
4. Subsystem components
| Component name | Registry representation | Source | Repository | Function |
|---|---|---|---|---|
Secrets and encryption management service |
|
3rd-party |
Secure storage of encryption keys for other subsystems to support data encryption and decryption. |
|
Platform secrets management subsystem and OpenShift secrets synchronization service |
|
3rd-party |
Automating the process of securely retrieving and synchronizing sensitive data between HashiCorp Vault and OKD Secrets. |
|
Secrets update service for target registry services |
|
3rd-party |
Monitoring the changes in the configuration and secrets of registry components and updating the pods via |
5. Technology stack
The following technologies were used when designing and developing the subsystem:
6. Subsystem quality attributes
6.1. Security
The subsystem uses strong encryption algorithms to store sensitive data and implements reliable access control.
6.2. Observability
The subsystem records detailed information about authentication attempts, secrets retrieval, and other operations, enabling you to meet compliance requirements.
Also, the subsystem supports incoming requests logging and collecting performance metrics for analysis through the web interfaces of respective Platform subsystems.
|
For details on the subsystem design, see: |