Configuring HashiCorp Vault

The HashiCorp Vault is a secret management tool that provides a single source of secrets and credentials, while attaching security policies.

Once after setting up HashiCorp Vault we need to configure it to make it work with OpenShift secrets.

1. Get access to the vault's terminal and run the commands below in the order listed.

2. Establish communication between OpenShift and the vault by enabling Kubernetes authentication in vault.

   vault auth enable kubernetes

   The Kubernetes auth method can be used to authenticate with the vault using Kubernetes Service Account Token. The vault accepts this token from any client within the Kubernetes cluster. There is authentication by the vault to see if the token is valid to access the configured Kubernetes path.

3. Configure the Kubernetes path

   Writing Kubernetes configuration to vault so that vault can validate the OpenShift token.

   vault write auth/kubernetes/config \
   token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
   kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
   kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

4. Create policies

   Policies in the vault basically define which resources a user can access.

   vault policy write external-secrets-policy - <<EOF
   path "secret/data/external-secrets/*" {
   capabilities = ["read", "create", "update", "delete"]
   }
   EOF

5. Create roles

   Every policy must have a role and an associated service account.

   vault write auth/kubernetes/role/external-secrets-role\
   bound_service_account_names=cpd-admin-sa \
   bound_service_account_namespaces='*' \
   policies=external-secrets-policy

6. Enable a Secret Engine KV

   Enabling the path where we store the secrets in key value format.

   vault secrets enable -path=/v1/secret/data/external-secrets/ kv