Sharing secrets between tenants
This How-to assumes you know how to create vaults and secrets.
When a tenant is sharing a service with other tenants and the service requires
client authentication, secrets must be shared. This can be achieved in two
steps, the first step is to give access to a vault to another tenant using
allow-tenant-access.
The second step is that the application that wants to access this vault needs
to specify which tenant that has the secret that one wants to access using
from-tenant
in the vault-secret or the value-from-secret section.
Here is an example: assuming platform-team will share a service with
application-team-a and application-team-b.
Expose the secret to a list of named tenants:
name: credentials
data:
password: reallysecret
user: admin
allow-image-access:
- "*"
allow-tenant-access:
- application-team-a
- application-team-b
EOF
The corresponding payload for a certificate secret:
name: cert
auto-cert:
issuing-ca: my-app-ca
ttl: 30d
host: my-app
cert-type: server
allow-image-access:
- "*"
allow-tenant-access:
- application-team-a
- application-team-b
To share with all tenants:
allow-tenant-access:
- "*"
Now the application teams can mount the secret into their applications as usual, but must specify the tenant providing the secret.
name: app-team-as-amazing-app
services:
- name: the-service
volumes:
- name: cert
vault-secret:
vault: my-app
secret: cert
from-tenant: platform-team
variables:
- name: MY_USER
value-from-vault-secret:
vault: my-app
secret: credentials
key: user
from-tenant: platform-team