Install hashicorp vault and secure it

Progress:

• Vault terraform prerequisites: module, security groups, networks, etc: https://gitlab.com/gitlab-com/gitlab-com-infrastructure/merge_requests/86
• Vault VM: https://gitlab.com/gitlab-com/gitlab-com-infrastructure/merge_requests/92
• [prerequisite] internal apt mirror (https://dev.gitlab.org/cookbooks/gitlab_aptly)
• Package Vault in .deb (https://gitlab.com/gitlab-pkg/gitlab-vault)
  • With config
  • With systemd unit file
  • With integration tests
  • With in-memory backend for bootstraping
  • With PGP encrypted root token and unseal keys by default
• Collect @gl-infra PGP keys (https://gitlab.com/gitlab-com/infrastructure/issues/2851)
• Setup CI vaults with reusable backend on S3
• Implement CA
• Setup staging instance of the vault and let people play with it
• Bootstrap CA on staging vault
• With CA, set up monitoring and rsyslog for staging vault.
• Switch staging vault to use consul backend, TLS being protected by the above CA
• Implement other secret backends (TBD)
• Implement HA setup in staging (second vault, cluster address, update monitoring).
• Disaster recovery testing in staging.
• Setup production HA setup.
• Write runbooks on how to use/setup/destroy/maintain the vault.
• Write runbook and test changing the set of unseal GPG keys due to loss/compromise/etc.
• Disable SSH by default.

mentioned in issue #1504

assigned to @ilyaf

added cloud native label

changed milestone to %WoW ending 2017-07-18

mentioned in issue #1816

added goal label

@gl-infra Please dump all your wishes/ideas on what do you need from Vault here, and I'll make it happen :)

• Must Use Two-Man rule leveraging Shamir's Secret Sharing technique for unsealing the vault.

• Leverage Vault as a PKI & CA per #1574

as an FYI: i gleaned a pretty good overview of how to integrate it when playing with it from here: https://www.hashicorp.com/blog/using-hashicorps-vault-with-chef/

changed milestone to %WoW ending 2017-07-25

changed milestone to %WoW ending 2017-08-01

changed the description

changed milestone to %WoW ending 2017-08-08

added moved 1 label

changed the description

marked the checklist item Vault VM: https://gitlab.com/gitlab-com/gitlab-com-infrastructure/merge_requests/92 as completed

changed the description

changed milestone to %WoW ending 2017-08-15

removed goal label

added goal label

@ilyaf with all the work for Geo, how realistic is that this will happen?

@pcarranza I don't think I'll deliver vault this WoW, unless we really-really rush it. But since we decided not to do that in prod call, I'll refactor this into some sort of meta issue, and focus on building blocks for it, like aptly and deb package pipeline.

Let me think about it for some time. We can drop the goal label though, and I will add it to the bits that I'm planning to deliver.

Does this make sense?

removed goal label

It makes total sense to me @ilyaf

changed milestone to %WoW ending 2017-08-22

changed milestone to %WoW ending 2017-08-29

removed assignee

changed milestone to %WoW ending 2017-09-19

mentioned in issue #2597 (closed)

mentioned in issue #1212 (closed)

mentioned in issue #2604

changed milestone to %WoW

assigned to @ilyaf

Assigning back to myself, as I made some progress on the prerequisites, and now its almost only vault (next steps will require some consul/monitoring dependencies)

changed the description

changed the description

changed milestone to %WoW ending 2017-10-03

mentioned in issue #1865

changed milestone to %WoW

added moved 2 and removed moved 1 labels

@ilyaf can you add a point for "Unblock https://gitlab.com/gitlab-com/infrastructure/issues/2604" to list where you deem appropriate?