This document provides instructions on how to create a secret policy in VoltConsole. The secret policy is used to encrypt your application secrets using the Volterra Blindfold and to decrypt it from your vK8s application. To know more about Blindfold and secrets management, see Volterra Blindfold.
Using the instructions provided in this guide, you can create a secret policy with policy rules to define permissions for your application to decrypt the secret.
The following prerequisites apply:
Note: If you do not have an account, see Create a Volterra Account.
An application running on vK8s
Note: If you do not have an application running on vK8s, see Deploy Application.
- The vesctl tool. Download vesctl on your local machine as it is used to apply Blindfold to the TLS certificate.
Creating a secret policy optionally includes associating a secret policy rule with it. You can create and attach a policy rule as part of secret policy creation itself or you can attach an existing rule. This example shows creating a rule as part of the secret policy creation.
The secret policy allows Wingman running as sidecar in your application access to the secret.
Step 1: Navigate to your application namespace.
Log into VoltConsole and click on
App on the namespace selector. Click on the namespace drop-down and select the namespace in which you want to create secret policy. Select
Security from the configuration menu and
Secrets from the options. Select
Secret Policiesand click
Add secret policy. The policy creation form gets loaded.
Step 2: Configure the secret policy.
Perform the following steps:
Step 2.1: Enter the basic configuration.
- Enter a name for your secret policy in the
Select an option for the
Rule Combining Algorithmfield as per the following guidelines:
First Rule Match: Evaluates each rule in the order of configuration
Deny Rule Overrides: Evaluates all "allow" rules only.
Allow Rule Overrides: Evaluates all "deny" rules before evaluating any "allow" rules.
Step 2.2: Optionally, attach a secret policy rule.
You can select a created rule or create a new rule. This example shows creating a new policy. Click
Add secret policy rule in the
Secret Policy Rules section. Perform the configuration as per the following guidelines:
- Enter a name for the service policy rule in the
- Set an action in the
Actionfield. Supported actions are
Deny. This example shows allow option.
- Optionally, enter name of the client accessing the server in the
- Set a label for the
Client Label Selectorfield using the label selector expression for the client. Any label applied to the application can be used to write the expression. This example sets
app=demo-tls-serveras the label expression.
Client Name Matcherfield as per the following guidelines:
Exact Values: Exact DNS names of the clients to match. Click
Add itemand add the exact value. You can specify more than one entry.
Regex Values: Regex patterns for DNS names to match. Click
Add itemand add the regular expression to match DNS names. You can specify more than one entry.
Save and Exitto create the rule and attach it to the secret policy.
Step 2.3: Complete creating the secret policy.
- Allow Volterra services to decrypt this policy by selecting the
Save and Exitto complete creating the secret policy.