Hashicorp Vault (prerequisites)

1. Deploy Hashicorp Vault

Installation manuals: www.vaultproject.io/docs/install

2. Create a set of policies with the following rules

path "{{PATH_PREFIX}}/*" {
    capabilities = ["read", "delete", "list", "create", "update"]
}

path "auth/approle/role/*" {
    capabilities = ["read"]
}

path "auth/token/lookup-self" {
    capabilities = ["read"]
}

path "auth/approle/role/+/secret-id" {
    capabilities = ["update"]
}

path "auth/token/renew-self" {
    capabilities = ["update"]
}

path "auth/token/create" {
    capabilities = ["update"]
}

where {{PATH_PREFIX}} refers to the folder where all the secrets of this role will be stored.

To create it from a CLI use the following:

$ vault policy write ${{POLICIES_NAME}} ./catalyst.hcl

where {POLICIES_NAME} - any name you give, supposing you’ve created a file “catalyst.hcl” with the policies listed above.

3. Enable the “AppRole” auth method

Catalyst Blockchain Manager must be able to authenticate into Vault for managing the secrets and mounting them into pods. In the current version, only AppRole is supported

$ vault auth approle enable

4. Create an AppRole

$ vault write auth/approle/role/{{ROLE_NAME}} token_policies={{POLICIES_NAME}} token_ttl=5m token_max_ttl=10m token_no_default_policy=true

where:

  • {POLICIES_NAME} refers to the policy set created in step 2.

  • {ROLE_NAME} – can be any.

5. Read the ID of the created role

$ vault read auth/approle/role/{{ROLE_NAME}}/role-id -format=json

6. Generate a secret for the created role and persist the output

$ vault write -f auth/approle/role/{{ROLE_NAME}}/secret-id -format=json

In case of a leak of the secret, type the following command:

$ vault write auth/approle/role/{{ROLE_NAME}}/secret-id-accessor/destroy secret_id_accessor={{SECRET_ID_ACCESSOR}}

where {SECRET_ID_ACCESSOR} is obtained from the output of the command for generating a secret for the role.

After that follow step 5 and update the helm chart values.

7. Put the Vault TLS certificate to the Kubernetes secret

Put your Vault TLS certificate with the trust chain to the Kubernetes secret called “vault-tls”

The Kubernetes secret name is specified in the helm chart values.