Secrets Policy

Objective

This document provides instructions on how to create a secret policy in VoltConsole. The secret policy is used to encrypt your application secrets using the Volterra Blindfold and to decrypt it from your vK8s application. To know more about Blindfold and secrets management, see Volterra Blindfold.

Using the instructions provided in this guide, you can create a secret policy with policy rules to define permissions for your application to decrypt the secret.


Prerequisites

The following prerequisites apply:


Configuration

Creating a secret policy optionally includes associating a secret policy rule with it. You can create and attach a policy rule as part of secret policy creation itself or you can attach an existing rule. This example shows creating a rule as part of the secret policy creation.

The secret policy allows Wingman running as sidecar in your application access to the secret.

Step 1: Navigate to your application namespace.

Log into VoltConsole and click on App on the namespace selector. Click on the namespace drop-down and select the namespace in which you want to create secret policy. Select Security from the configuration menu and Secrets from the options. Select Secret Policiesand click Add secret policy. The policy creation form gets loaded.

secp nav
Figure: Secret Policy Navigation

Step 2: Configure the secret policy.

Perform the following steps:

Step 2.1: Enter the basic configuration.
  • Enter a name for your secret policy in the Name field.
  • Select an option for the Rule Combining Algorithm field as per the following guidelines:

    • First Rule Match: Evaluates each rule in the order of configuration
    • Deny Rule Overrides: Evaluates all "allow" rules only.
    • Allow Rule Overrides: Evaluates all "deny" rules before evaluating any "allow" rules.
Step 2.2: Optionally, attach a secret policy rule.

You can select a created rule or create a new rule. This example shows creating a new policy. Click Add secret policy rule in the Secret Policy Rules section. Perform the configuration as per the following guidelines:

  • Enter a name for the service policy rule in the Name field.
  • Set an action in the Action field. Supported actions are Allow and Deny. This example shows allow option.
  • Optionally, enter name of the client accessing the server in the Client Name field.
  • Set a label for the Client Label Selector field using the label selector expression for the client. Any label applied to the application can be used to write the expression. This example sets app=demo-tls-server as the label expression.
  • Optionally, set Client Name Matcher field as per the following guidelines:

    • Exact Values: Exact DNS names of the clients to match. Click Add item and add the exact value. You can specify more than one entry.
    • Regex Values: Regex patterns for DNS names to match. Click Add item and add the regular expression to match DNS names. You can specify more than one entry.

secp rule
Figure: Create Secret Policy

  • Click Save and Exit to create the rule and attach it to the secret policy.
Step 2.3: Complete creating the secret policy.
  • Allow Volterra services to decrypt this policy by selecting the Allow Volterra option.

secp
Figure: Create Secret Policy

  • Click Save and Exit to complete creating the secret policy.

Concepts


API References