Choose a secret management solution

Problem

• The services we'll be running require access to configuration data, access tokens, cryptographic keys, and other confidential data.
• For obvious reasons, those should be kept securely.
• See https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
• The solutions needs to be completely open source.

Goal

• Weigh SOPS, Vault and OpenBao against each other.
• Document the advantages/disadvantages

ACs

• A secret management solution has been chosen
• This solution, and the reasons for/against cf. other options, have been documented in the form of an ADR

Notes/ resources

• Why not k8s secrets?
  • per default stored unencrypted in etcd
  • See https://cheatsheetseries.owasp.org/cheatsheets/Kubernetes_Security_Cheat_Sheet.html#alternatives-to-kubernetes-secret-resources
• Maybe do a test deployment in minikube to evaluate the dev ux?
• Consider
  • Should be compatible with https://argocd-vault-plugin.readthedocs.io/en/stable/backends/
  • That leaves SOPS, Vault and OpenBao.
  • Vault is BUSL licensed, unclear whether we can use it.
  • OpenBao is a fork of Vault created by the Linux Foundation.
  • As a bonus, the solution would also allow human-to-human secret exchange ("password manager") on top of human-to-machine secret storage.

Who needs to be involved / informed

• reviewers:
• involved: team::infra-and-ops
• informed: