Hashicorp Vault (prerequisites)
Supported versions: 1.8 and later.
path "{{PATH_PREFIX}}/*" {
capabilities = ["read", "delete", "list", "create", "update"]
}
path "auth/approle/role/*" {
capabilities = ["read"]
}
path "auth/token/lookup-self" {
capabilities = ["read"]
}
path "auth/approle/role/+/secret-id" {
capabilities = ["update"]
}
path "auth/token/renew-self" {
capabilities = ["update"]
}
path "auth/token/create" {
capabilities = ["update"]
}
where {{
PATH_PREFIX} refers to the folder where all the secrets of this role will be stored.
To create it from a CLI use the following:
$ vault policy write ${{POLICIES_NAME}} ./catalyst.hclwhere
{{POLICIES_NAME}}– any name you give, supposing you’ve created a file “catalyst.hcl” with the policies listed above.Catalyst Blockchain Platform must be able to authenticate into Vault for managing the secrets and mounting them into pods. In the current version, only AppRole is supported.
$ vault auth approle enable$ vault write auth/approle/role/{{ROLE_NAME}} token_policies={{POLICIES_NAME}} token_ttl=5m token_max_ttl=10m token_no_default_policy=truewhere:
- {{ROLE_NAME}} – can be any.
$ vault read auth/approle/role/{{ROLE_NAME}}/role-id -format=json$ vault write -f auth/approle/role/{{ROLE_NAME}}/secret-id -format=jsonNOTE: In case of a leak of the secret, type the following command:
$ vault write auth/approle/role/{{ROLE_NAME}}/secret-id-accessor/destroy secret_id_accessor={{SECRET_ID_ACCESSOR}}where
{{SECRET_ID_ACCESSOR}} is obtained from the output of the command for generating a secret for the role.Put your Vault TLS certificate with the trust chain to the Kubernetes secret called
“vault-tls”.Last modified 9mo ago