Streamlining Teams Credential Management with Passbolt on GKE: An Open-Source and Collaborative Solution
Managing sensitive credentials is a critical aspect of modern IT operations. As teams grow and adopt agile practices, the need for a collaborative, secure, and scalable credential management system becomes essential. Passbolt, an open-source password manager, addresses this need effectively and provides an ideal collaborative platform for teams to manage credentials securely. Passbolt helps organizations prevent security breaches and ensures compliance with best practices for credential management. Passbolt’s flexibility as an open-source tool makes it a valuable asset for modern cloud-native workflows. This blog explores Passbolt’s capabilities and demonstrates its deployment on Google Kubernetes Engine (GKE) to ensure secure and scalable solution.
Why Choose Passbolt for Credential Management?
Passbolt is used for seamless team collaboration with a focus on security and flexibility. It provides:
- Security: End-to-end encryption ensures sensitive data stays protected.
- Collaboration: Share passwords securely within the team.
- Open Source: Fully customizable to meet the specific needs of the organizations.
- Integration: Seamlessly integrates with tools like Docker, Kubernetes, and CI/CD pipelines.
Pre-Requisites:
Helm installed.
kubectl configured to access the GKE cluster.
An operational SMTP credentials for email notifications.
Let’s get started !!
- Create a private GKE cluster and access it using below command.
gcloud container clusters get-credentials $CLUSTER_NAME --region $REGION --project $PROJECT_ID
- Add Passbolt Helm Repository.
helm repo add passbolt "https://download.passbolt.com/charts/passbolt"
helm repo update
- Pull the
values.yaml
file for Passbolt from the Helm repository.
helm search repo passbolt
helm pull passbolt/passbolt
To customize the deployment, we will use a custom
values.yaml
file. This file will allow us to configure various components of the Passbolt deployment.
- Modify the values.yaml file.
In the Redis dependency chart, specify the password for Redis in auth
section. Replace $REDIS_PASSWORD
with a secure password of your choice.
# Configure redis dependency chart
redis:
auth:
# -- Enable redis authentication
enabled: true
# -- Configure redis password
password: "$REDIS_PASSWORD" ## Replace with redis password
sentinel:
# -- Enable redis sentinel
enabled: true
In mariadb configuration dependency chart section, specify the rootPassword, username, password, database name, and replicationPassword.
# Configure mariadb as a dependency chart
mariadb:
# -- Configure mariadb architecture
architecture: replication
auth:
# -- Configure mariadb auth root password
rootPassword: $ROOT_PASSWORD #Repalce with root password
# -- Configure mariadb auth username
username: $USERNAME #Replace with suername
# -- Configure mariadb auth password
password: $PASSWORD #Replace with password
# -- Configure mariadb auth database
database: $DATABASE #Replace with database
# -- Configure mariadb auth replicationPassword
replicationPassword: $REPLICATION_PASSWORD #Replace with replication password
To configure HTTPS for Passbolt, we need to create a Kubernetes secret that stores the SSL certificate and private key associated with the domain. This secret will be used by the Passbolt to enable secure communication and access over HTTPS.
This command generates a Kubernetes secret named passbolt-tls
. This secret will be referenced in values.yaml configuration to enable HTTPS functionality.
kubectl create secret tls passbolt-tls --cert <CERT_FILE> --key <KEY_FILE>
To configure TLS settings in values.yaml, set the
autogenerate
option tofalse
. This indicates that a TLS certificate will not be automatically generated. Instead, we need to specify the name of an existing TLS secret in theexistingSecret
field, which is created in previous step.
This configuration ensures the application uses the pre-created kubernetes secret for secure communication.
tls:
# -- If autogenerate is true, the chart will generate a secret with a certificate for APP_FULL_BASE_URL hostname
# -- if autogenerate is false, existingSecret should be filled with an existing tls kind secret name
# @ignored
autogenerate: false
existingSecret: "passbolt-tls" #Replace with the kubernetes secret name
To ensure a seamless and secure experience with Passbolt, the environment variables in
passboltEnv
must be configured. These settings include specifying the domain name and enabling email notifications.
Replace domain name in APP_FULL_BASE_URL through which you want to access the Passbolt.
For Passbolt to send email notifications (e.g., for user registration or password resets), configure the SMTP server:
Replace $EMAIL_ADDRESS
in PASSBOLT_KEY_EMAIL
and EMAIL_DEFAULT_FROM
with a valid email address.
passboltEnv:
plain:
# -- Configure passbolt privacy url
PASSBOLT_LEGAL_PRIVACYPOLICYURL: https://www.passbolt.com/privacy
# -- Configure passbolt fullBaseUrl
APP_FULL_BASE_URL: https://$DOMAIN_NAME #Replace with domain name
# -- Configure passbolt to force ssl
PASSBOLT_SSL_FORCE: true
# -- Toggle passbolt public registration
PASSBOLT_REGISTRATION_PUBLIC: true
# -- Configure passbolt cake cache server
CACHE_CAKE_DEFAULT_SERVER: 127.0.0.1
# -- Configure passbolt default email service port
EMAIL_TRANSPORT_DEFAULT_PORT: 587
# -- Toggle passbolt debug mode
DEBUG: false
# -- Configure email used on gpg key. This is used when automatically creating a new gpg server key and when automatically calculating the fingerprint.
PASSBOLT_KEY_EMAIL: $EMAIL_ADDRESS #Replace with email address
# -- Toggle passbolt selenium mode
PASSBOLT_SELENIUM_ACTIVE: false
# -- Configure passbolt license path
PASSBOLT_PLUGINS_LICENSE_LICENSE: /etc/passbolt/subscription_key.txt
# -- Configure passbolt default email from
EMAIL_DEFAULT_FROM: $EMAIL_ADDRESS #Replace with email address
# -- Configure passbolt default email from name
EMAIL_DEFAULT_FROM_NAME: Passbolt
# -- Configure passbolt default email host
EMAIL_TRANSPORT_DEFAULT_HOST: smtp.office365.com
To configure Passbolt with the necessary credentials, provide the following secret values.
secret:
# -- Configure passbolt cake cache password
CACHE_CAKE_DEFAULT_PASSWORD: $REDIS_PASSWORD #Replace with redis password
# -- Configure passbolt default database password
DATASOURCES_DEFAULT_PASSWORD: $MARIADB_PASSWORD #Replace with mariadb password
# -- Configure passbolt default database username
DATASOURCES_DEFAULT_USERNAME: $DB_USERNAME #Replace with username of the mariadb
# -- Configure passbolt default database
DATASOURCES_DEFAULT_DATABASE: $DATABASE_NAME #Replace with the database name
# -- Configure passbolt default email service username
EMAIL_TRANSPORT_DEFAULT_USERNAME: $EMAIL_USERNAME #Replace with email username
# -- Configure passbolt default email service password
EMAIL_TRANSPORT_DEFAULT_PASSWORD: $EMAIL_PASSWORD #Replace with email password
In livenessProbe and readinessProbe, specify the domain name in the values configuration for Host.
# -- Configure passbolt container livenessProbe
livenessProbe:
# @ignore
httpGet:
port: https
scheme: HTTPS
path: /healthcheck/status.json
httpHeaders:
- name: Host
value: $DOMAIN_NAME #Replace with domain name
initialDelaySeconds: 20
periodSeconds: 10
# -- Configure passbolt container RadinessProbe
readinessProbe:
# @ignore
httpGet:
port: https
scheme: HTTPS
httpHeaders:
- name: Host
value: $DOMAIN_NAME #Replace with domain name
path: /healthcheck/status.json
initialDelaySeconds: 5
periodSeconds: 10
To expose Passbolt securely using a custom domain, we will configure the ingress settings in the
values.yaml
file, leveraging the NGINX Ingress Controller. This setup ensures seamless and secure access to the Passbolt over the configured domain.
- To install the NGINX Ingress Controller in GKE cluster, execute the following commands:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install nginx-ingress ingress-nginx/ingress-nginx
In ingress configuration section of values.yaml file, enable the ingress by making it true. Add the following configuration for ingress.
ingress:
# -- Enable passbolt ingress
enabled: true #Enable ingress
# -- Configure passbolt ingress annotations
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# -- Configure passbolt ingress hosts
hosts:
# @ignored
- host: $DOMAIN_NAME #Replace with domain name
paths:
- path: /
port: https
pathType: ImplementationSpecific
# -- Configure passbolt ingress tls
tls:
# If autogenerate is true, the chart will generate a secret for the given hosts
# if autogenerate is false, existingSecret should be filled with an existing tls kind secret name
# @ignored
- autogenerate: false
existingSecret: "passbolt-tls" #Replace with the kubernetes secret name
hosts:
- $DOMAIN_NAME #Replace with domain name
- Once the customized
values.yaml
file is ready, we can use Helm to deploy Passbolt to the GKE cluster.
helm install mypassbolt passbolt/passbolt -f values.yaml
- Verify the status of the resources.
This configuration creates persistent volume for the databases.
Everything is set up correctly, check the status of the ingress.
To create the admin user for initial setup of Passbolt, run the following command.
kubectl exec -it <passbolt-pod-name> -- su -c "bin/cake passbolt register_user -u <email> -f <firstname> -l <lastname> -r admin" -s /bin/bash www-data
After executing this command, an email will be received on the email id entered in the command as admin user.
The output of the command also provided the link to access the Passbolt.
Access the link provided after running the command or the link provided on mail.
Now add the browser extension for Passbolt. Click on Download extension.
Add the extension to the browser.
Once the extension will be added, click on next.
Enter the passphrase for the passbolt. The passphrase will be a secure credential, which will be used to login to the passbolt.
Download the passbolt recovery kit and click on next.
After all the configuration is completed, access the Passbolt web console.
After completing the initial setup, we can start adding users, groups, and credentials to the Passbolt.
Additionally, we can use Passbolt’s advanced features like password expiration and two-factor authentication (2FA) to enhance security.
To create the users, click on users in Passbolt web console.
Click on create => New user.
Enter the details of the user and save it.
To create the password, click on passwords = > create => New password.
Enter the password details.
To proceed with creating the password, enter the passphrase which is created in the previous step of passbolt setup.
In passwords section, check the created password.
To share the password with other users or the group of users, select the password and check on share.
Select the user or group with whom the password need to be shared.
Access the application, and use passbolt to enter the password. Click on the icon of the passbolt in username section.
It will provide the options of the credentials. Select the credentials for the application.
To continue with the password, enter the passphrase of Passbolt.
Passbolt will enter the selected credentials.
Login to the application.
Conclusion
Deploying Passbolt on GKE cluster offers a secure and scalable solution for managing team credentials. Passbolt’s open-source nature ensures that it can be customized to meet specific requirements, while its focus on team collaboration makes it a perfect fit for organizations seeking a solution to their credential management challenges. Passbolt is a powerful tool for organizations looking to streamline their credential management processes, enhance security, and improve compliance.
References
- Passbolt: https://www.passbolt.com/
- GKE: https://cloud.google.com/kubernetes-engine/docs/concepts/kubernetes-engine-overview
- Helm: https://helm.sh/docs/
- Nginx Ingress: https://docs.nginx.com/nginx-ingress-controller/overview/about/
In case of any questions, comment in the comments section or connect me via LinkedIn.
Thank You !!