In this document, you’ll learn how to integrate existing Vault to Volterra Secrets Management and use a TLS Certificate for a Virtual Host stored as a secret in Vault.
Further details can be found here at External Secrets Management System under VES Concepts.
- Note: If you don’t have an account, please go to Create a VES Account.
Installation of Hashicorp Vault
A VirtualHost and a signed TLS certificate for your Virtual Host
- Note: If you don't have an existing VirtualHost, please create one
- Note: Install the Volterra Node or Cluster Image in your Cloud or Edge location
Login to Vault and create a secret or use an existing secret
Create a new Vault authentication method to access the secret - AppRole Authentication, Token Authentication
Configure ‘Secret Management’ on Volterra to fetch the Secret from Vault
Discover and Advertise Vault - This involves the creation of virtual-host for Vault service - see "Create and Advertise a Virtual Host”
The following shows the configuration workflow of Vault as an external secret management system.
Step 1: Volterra supports vault authentication using either ‘approle’ or ‘token’. Users should make sure to have one of these configured in the vault. A sample configuration is shown below:
Sample approle configuration:
Sample token configuration:
Step 2: Enable KV Secrets Engine from secrets configuration pane. A sample configuration is shown below:
Step 3: Create a secret in the path created above. The secret here is a TLS Certificate. Find a sample configuration below:
Step 4: Create an ACL policy to enable permissions on the secret created above
Step 5: Obtain the entity_id from ‘Access’ section to be used later as
Role_id in Volterra configuration
Step 1: Select ‘system’ namespace. From the configuration, menu select ‘Manage’ and select ‘Site Management’ and choose ‘Secret Management’ from the options pane. Provide a name for the credentials, select API Certificate for credential type and provide a password to access the credential.
Step 2: Input Name and Provider Name.
Step 3: Configure Access Information.
Select Authentication Parameters from available options. In this scenario, it is "Vault Authentication Parameters”
Select a parameter for authentication. Supported options are "AppRole Authentication” and "Token Authentication”
Provide RoleID or Token. RoleID refers to Vault role_id. If user choose Token Authentication, secret info can be used to encrypt the token in one of the four encryption patterns supported by Volterra.
Provide Secret ID. Refers to token or approle. Secret info can be used to encrypt the token in one of the four encryption patterns supported by Volterra.
Provide TLS details of Vault.
Vault can be externally hosted on Azure, AWS, or Private Cloud. Follow Create and Advertise a Virtual Host form How-To section. The two specific configuration aspects that are different from traditional Advertise Policy and Virtual Host required for Vault are mentioned below:
Step 1: Advertise Policy: Select "Network Type” as
"Virtual_Network_VER_INTERNAL” while adding advertise policy.
Step 2: Virtual Host: Select "Proxy Type” as "SMA_PROXY” while adding Virtual Host.
This section shows a sample virtual host configuration with private key in TLS Parameters section obtained from external Vault.
We assume that an application virtual host has been created prior to starting this guide. Use Create and Advertise a Virtual Host as reference. Specific Virtual Host TLS Parameters configuration is explained below.
Step 1: Select "TLS Parameters” in Virtual Host
Step 2: Configure TLS Parameters
Step 3: Add TLS Certificate selecting TLS Certificates above
Step 4: Configure the Private Key.
- Secret Info
- Vault Secret in this scenario
- Refers to Secret Management object created in "Create Secret Management - Volterra” section step 1 above. Provider name here should be the same
- This is the path/location of secret in Vault
- Name of the Key in Vault
- Refers to Version of Key in Vault