Hashicorp Vault (prerequisites)
1. Deploy Hashicorp Vault
Installation manuals: www.vaultproject.io/docs/install
2. Create a set of policies with the following rules
path "{{PATH_PREFIX}}/*" {
capabilities = ["read", "delete", "list", "create", "update"]
}
path "auth/approle/role/*" {
capabilities = ["read"]
}
path "auth/token/lookup-self" {
capabilities = ["read"]
}
path "auth/approle/role/+/secret-id" {
capabilities = ["update"]
}
path "auth/token/renew-self" {
capabilities = ["update"]
}
path "auth/token/create" {
capabilities = ["update"]
}where {{PATH_PREFIX}} refers to the folder where all the secrets of this role will be stored.
To create it from a CLI use the following:
$ vault policy write ${{POLICIES_NAME}} ./catalyst.hclwhere {POLICIES_NAME} - any name you give, supposing you’ve created a file “catalyst.hcl” with the policies listed above.
3. Enable the “AppRole” auth method
Catalyst Blockchain Platform must be able to authenticate into Vault for managing the secrets and mounting them into pods. In the current version, only AppRole is supported
$ vault auth approle enable4. Create an AppRole
$ vault write auth/approle/role/{{ROLE_NAME}} token_policies={{POLICIES_NAME}} token_ttl=5m token_max_ttl=10m token_no_default_policy=truewhere:
-
{POLICIES_NAME}refers to the policy set created in step 2. -
{ROLE_NAME}– can be any.
5. Read the ID of the created role
$ vault read auth/approle/role/{{ROLE_NAME}}/role-id -format=json6. Generate a secret for the created role and persist the output
$ vault write -f auth/approle/role/{{ROLE_NAME}}/secret-id -format=json|
In case of a leak of the secret, type the following command: where After that follow step 5 and update the helm chart values. |
7. Put the Vault TLS certificate to the Kubernetes secret
Put your Vault TLS certificate with the trust chain to the Kubernetes secret called “vault-tls”
|
The Kubernetes secret name is specified in the helm chart values. |