Skip to content

Identity & Secret Management

Identity is the new perimeter. In a cloud-native world, static passwords in configuration files are the root cause of most breaches. Cyberun Cloud eliminates this risk through centralized Identity and Access Management (IAM) and dynamic secrets.

Unified Identity (SSO)

We provide Identity as a Service powered by Keycloak, the industry-standard open-source identity provider.

  • Single Sign-On (SSO): A single set of credentials grants access to the Rancher Console, Harbor Registry, OpenSearch Dashboards, and your own applications.
  • Federated Auth: We support integration with enterprise IdPs (Google Workspace, Azure AD, Okta). Your employees can log in using their existing corporate accounts.
  • Fine-Grained RBAC: Permissions are mapped to OIDC Groups.
  • Group dev-team -> Can deploy to namespace-dev.
  • Group ops-team -> Can SSH into nodes.

Secret Management (The Vault)

We utilize OpenBao (an open-source fork of HashiCorp Vault) to manage sensitive data. We strictly adhere to the principle that secrets should never be stored in Git.

Dynamic Secrets

sequenceDiagram
    participant App as App_Workload
    participant Agent as Vault_Agent
    participant Bao as OpenBao_KMS
    participant DB as PostgreSQL_DB

    Note over App, DB: Initialization
    App->>Agent: 1. Request DB Access
    Agent->>Bao: 2. Auth Pod Identity
    Bao->>DB: 3. Create Ephemeral User
    DB-->>Bao: 4. Return User/Pass
    Bao-->>Agent: 5. Send Encrypted Creds
    Agent-->>App: 6. Inject Secrets File

    Note over App, DB: Runtime
    App->>DB: 7. Connect with Creds

    Note over Bao, DB: After 1 Hour (Expiry)
    Bao->>DB: 8. Revoke & Drop User

Instead of hardcoding database passwords, applications request credentials on the fly.

  1. Request: App asks OpenBao for access to PostgreSQL.
  2. Generate: OpenBao dynamically creates a temporary username/password on the database with a 1-hour TTL (Time To Live).
  3. Inject: The credential is injected into the Pod via a sidecar or CSI driver.
  4. Revoke: After 1 hour, the credential automatically expires. Even if leaked, it is useless.

Encryption at Rest

All secrets stored within the Cyberun platform are encrypted using AES-256-GCM.

  • KMS Integration: The master encryption keys are protected and can be rotated periodically without downtime.
  • etcd Encryption: We enable encryption at rest for the Kubernetes datastore (etcd), ensuring that physical theft of a server drive does not yield access to cluster secrets.