Configuring HashiCorp Vault

Introduction

The HashiCorp Vault is a secret management tool that provides a single source of secrets and credentials, while attaching security policies.

Once after setting up HashiCorp Vault we need to configure it to make it work with OpenShift secrets.

Attention: Please notice that HashiCorp Vault is not mandatory for the IBM Financial Services Workbench. It should only be configured if it is required to store API and Topic bindings in the Vault. By default, API and Topic Bindings are stored as k8s secret in the cluster. Please do not switch between using a vault and not, as this may result in data loss.

Steps to configure the vault

  1. Get access to the vault's terminal and run the commands below in the order listed.

  2. Establish communication between OpenShift and the vault by enabling Kubernetes authentication in vault.

    vault auth enable kubernetes

    The Kubernetes auth method can be used to authenticate with the vault using Kubernetes Service Account Token. The vault accepts this token from any client within the Kubernetes cluster. There is authentication by the vault to see if the token is valid to access the configured Kubernetes path.

  3. Configure the Kubernetes path

    Writing Kubernetes configuration to vault so that vault can validate the OpenShift token.

    vault write auth/kubernetes/config \
    token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
    kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
    kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
  4. Create policies

    Policies in the vault basically define which resources a user can access.

    vault policy write external-secrets-policy - <<EOF
    path "secret/data/external-secrets/*" {
    capabilities = ["read", "create", "update", "delete"]
    }
    EOF
  5. Create roles

    Every policy must have a role and an associated service account.

    vault write auth/kubernetes/role/external-secrets-role\
    bound_service_account_names=cpd-admin-sa \
    bound_service_account_namespaces='*' \
    policies=external-secrets-policy
  6. Enable a Secret Engine KV

    Enabling the path where we store the secrets in key value format.

    vault secrets enable -path=/v1/secret/data/external-secrets/ kv