Secrets - Hashicorp Vault
On This Page:
In this document, you’ll learn how to integrate existing Vault to Volterra Secrets Management and use a TLS Certificate for a Virtual Host stored as a secret in Vault.
Further details can be found here at External Secrets Management System under VES Concepts.
- Note: If you don’t have an account, please go to Create a VES Account.
- Installation of Hashicorp Vault
A VirtualHost and a signed TLS certificate for your Virtual Host
- Note: If you don't have an existing VirtualHost, please create one
Optionally, one or more cloud or edge locations with Volterra Site
- Note: Install the Volterra Node or Cluster Image in your Cloud or Edge location
Login to Vault and create a secret or use an existing secret
- Secret refers to the private key (TLS certificate)
- Create a new Vault authentication method to access the secret - AppRole Authentication, Token Authentication
- Configure ‘Secret Management’ on Volterra to fetch the Secret from Vault
- Discover and Advertise Vault - This involves the creation of virtual-host for Vault service - see "Create and Advertise a Virtual Host”
- Configure Application's Virtual Host to obtain TLS certificate stored from Vault
The following shows the configuration workflow of Vault as an external secret management system.
Step 1: Configure authentication method in Vault.
Volterra supports vault authentication using either ‘approle’ or ‘token’. Users should make sure to have one of these configured in the vault. A sample configuration is shown below:
Sample approle configuration:
Sample token configuration:
Step 2: Enable KV Secrets Engine from secrets configuration pane.
A sample configuration is shown below:
Step 3: Create a secret in the path created above.
The secret here is a TLS Certificate. Find a sample configuration below:
Step 4: Create an ACL policy to enable permissions on the secret created above.
Step 5: Get the entity identifier.
Obtain the entityid from ‘Access’ section to be used later as `Roleid` in Volterra configuration
Configure Vault for Secret Management in Volterra
Step 1: Start creating secret management access in VoltConsole.
Select ‘system’ namespace. From the configuration, menu select ‘Manage’ and select ‘Site Management’ and choose ‘Secret Management’ from the options pane. Provide a name for the credentials, select API Certificate for credential type and provide a password to access the credential.
Step 2: Set input name and provider name.!(images/image13.png "Figure: Configure Secret Management")
Step 3: Configure access information.
Select Authentication Parameters from available options. In this scenario, it is "Vault Authentication Parameters”
Select a parameter for authentication. Supported options are "AppRole Authentication” and "Token Authentication”
Provide RoleID or Token. RoleID refers to Vault role_id. If user choose Token Authentication, secret info can be used to encrypt the token in one of the four encryption patterns supported by Volterra.
Provide Secret ID. Refers to token or approle. Secret info can be used to encrypt the token in one of the four encryption patterns supported by Volterra.
Provide TLS details of Vault.
Discover and Advertise Vault
Vault can be externally hosted on Azure, AWS, or Private Cloud. Follow Create and Advertise a Virtual Host form How-To section. The two specific configuration aspects that are different from traditional Advertise Policy and Virtual Host required for Vault are mentioned below:
Step 1: Set the advertise policy network type.
Select "Network Type” as
"Virtual_Network_VER_INTERNAL” while adding advertise policy.
Step 2: Set the proxy type for virtual host.
Select "Proxy Type” as "SMA_PROXY” while adding Virtual Host.
Configure Application Virtual Host for Vault Access
This section shows a sample virtual host configuration with private key in TLS Parameters section obtained from external Vault.
We assume that an application virtual host has been created prior to starting this guide. Use Create and Advertise a Virtual Host as reference. Specific Virtual Host TLS Parameters configuration is explained below.
Step 1: Select
TLS Parameters in Virtual Host.
Step 2: Configure TLS Parameters.!(images/image4.png "Figure: Configuring TLS Parameters")
Step 3: Add TLS Certificate selecting TLS Certificates above.
Step 4: Configure the Private Key.
- Secret Info
- Vault Secret in this scenario
- Refers to Secret Management object created in "Create Secret Management - Volterra” section step 1 above. Provider name here should be the same
- This is the path/location of secret in Vault
- Name of the Key in Vault
- Refers to Version of Key in Vault