Secrets - Hashicorp Vault

Objective

In this document, you’ll learn how to integrate existing Vault to Volterra Secrets Management and use a TLS Certificate for a Virtual Host stored as a secret in Vault.

Further details can be found here at External Secrets Management System under VES Concepts.


Prerequisites

Minimum

  • VES account.

  • Installation of Hashicorp Vault
  • A VirtualHost and a signed TLS certificate for your Virtual Host

    • Note: If you don't have an existing VirtualHost, please create one
  • Optionally, one or more cloud or edge locations with Volterra Site


Summary

  1. Login to Vault and create a secret or use an existing secret

    • Secret refers to the private key (TLS certificate)
  2. Create a new Vault authentication method to access the secret - AppRole Authentication, Token Authentication
  3. Configure ‘Secret Management’ on Volterra to fetch the Secret from Vault
  4. Discover and Advertise Vault - This involves the creation of virtual-host for Vault service - see "Create and Advertise a Virtual Host
  5. Configure Application's Virtual Host to obtain TLS certificate stored from Vault

Configuration Steps

The following shows the configuration workflow of Vault as an external secret management system.

image12
Figure: Valut Configuration Workflow


Prepare Vault

Step 1: Configure authentication method in Vault.

Volterra supports vault authentication using either ‘approle’ or ‘token’. Users should make sure to have one of these configured in the vault. A sample configuration is shown below:

image8
Figure: Approle Configuration

Sample approle configuration:

image22
Figure: Sample Approle Configuration

Sample token configuration:

image5
Figure: Sample Token Configuration

Step 2: Enable KV Secrets Engine from secrets configuration pane.

A sample configuration is shown below:

image9
Figure: KV Secrets Engine Setting

image1
Figure: Enable KV Secrets Engine

Step 3: Create a secret in the path created above.

The secret here is a TLS Certificate. Find a sample configuration below:

image15
Figure: Secret Creation Setting
image16
Figure: Create a Secret

Step 4: Create an ACL policy to enable permissions on the secret created above.

image11
Figure: ACL Policy Creation

Step 5: Get the entity identifier.

Obtain the entityid from ‘Access’ section to be used later as `Roleid` in Volterra configuration

image23
Figure: Obtaining Entity ID


Configure Vault for Secret Management in Volterra

Step 1: Start creating secret management access in VoltConsole.

Select ‘system’ namespace. From the configuration, menu select ‘Manage’ and select ‘Site Management’ and choose ‘Secret Management’ from the options pane. Provide a name for the credentials, select API Certificate for credential type and provide a password to access the credential.

image21
Figure: Create Secret Management

Step 2: Set input name and provider name. ![](images/image13.png "Figure: Configure Secret Management")
Step 3: Configure access information.

Select Authentication Parameters from available options. In this scenario, it is "Vault Authentication Parameters”

image19
Figure: Configure Authentication Parameters

Select a parameter for authentication. Supported options are "AppRole Authentication” and "Token Authentication”

image3
Figure: Configure Authentication Parameters

Provide RoleID or Token. RoleID refers to Vault role_id. If user choose Token Authentication, secret info can be used to encrypt the token in one of the four encryption patterns supported by Volterra.

image2
Figure: Role ID - AppRole Authentication

image24
Figure: Token Authentication

Provide Secret ID. Refers to token or approle. Secret info can be used to encrypt the token in one of the four encryption patterns supported by Volterra.

image20
Figure: Secret ID

Provide TLS details of Vault.

image25
Figure: Vault - TLS

image10
Figure: Vault - TLS


Discover and Advertise Vault

Vault can be externally hosted on Azure, AWS, or Private Cloud. Follow Create and Advertise a Virtual Host form How-To section. The two specific configuration aspects that are different from traditional Advertise Policy and Virtual Host required for Vault are mentioned below:

Step 1: Set the advertise policy network type.

Select "Network Type” as "Virtual_Network_VER_INTERNAL” while adding advertise policy.

image14
Figure: Advertise Policy - Vault

Step 2: Set the proxy type for virtual host.

Select "Proxy Type” as "SMA_PROXY” while adding Virtual Host.

image7
Figure: Virtual Host - Vault


Configure Application Virtual Host for Vault Access

This section shows a sample virtual host configuration with private key in TLS Parameters section obtained from external Vault.

We assume that an application virtual host has been created prior to starting this guide. Use Create and Advertise a Virtual Host as reference. Specific Virtual Host TLS Parameters configuration is explained below.

Step 1: Select TLS Parameters in Virtual Host.

image18
Figure: Configuring TLS Parameters

Step 2: Configure TLS Parameters. ![](images/image4.png "Figure: Configuring TLS Parameters")
Step 3: Add TLS Certificate selecting TLS Certificates above.

image6
Figure: Certificate URL - Base64 Encoded

Step 4: Configure the Private Key.
  • Secret Info
  • Vault Secret in this scenario
  • Provider
  • Refers to Secret Management object created in "Create Secret Management - Volterra” section step 1 above. Provider name here should be the same
  • Location
  • This is the path/location of secret in Vault
  • Key
  • Name of the Key in Vault
  • Version
  • Refers to Version of Key in Vault

image17
Figure: Private Key Configuration


Concepts


API References