Secrets - Vault

Objective

In this document, you’ll learn how to integrate existing Vault to Volterra Secrets Management and use a TLS Certificate for a Virtual Host stored as a secret in Vault.

Further details can be found here at External Secrets Management System under VES Concepts.


Prerequisites

Minimum

  • VES account.

  • Installation of Hashicorp Vault

  • A VirtualHost and a signed TLS certificate for your Virtual Host

    • Note: If you don't have an existing VirtualHost, please create one
  • Optionally, one or more cloud or edge locations with Volterra Site

Summary

  1. Login to Vault and create a secret or use an existing secret

    • Secret refers to the private key (TLS certificate)
  2. Create a new Vault authentication method to access the secret - AppRole Authentication, Token Authentication

  3. Configure ‘Secret Management’ on Volterra to fetch the Secret from Vault

  4. Discover and Advertise Vault - This involves the creation of virtual-host for Vault service - see "Create and Advertise a Virtual Host

  5. Configure Application's Virtual Host to obtain TLS certificate stored from Vault

Configuration Steps

The following shows the configuration workflow of Vault as an external secret management system.

Figure: Valut Configuration Workflow

Prepare Vault

Step 1: Volterra supports vault authentication using either ‘approle’ or ‘token’. Users should make sure to have one of these configured in the vault. A sample configuration is shown below:

Figure: Approle Configuration

Sample approle configuration:

Figure: Sample Approle Configuration

Sample token configuration:

Figure: Sample Token Configuration

Step 2: Enable KV Secrets Engine from secrets configuration pane. A sample configuration is shown below:

Figure: KV Secrets Engine Setting
Figure: Enable KV Secrets Engine

Step 3: Create a secret in the path created above. The secret here is a TLS Certificate. Find a sample configuration below:

Figure: Secret Creation Setting

Figure: Create a Secret

Step 4: Create an ACL policy to enable permissions on the secret created above

Figure: ACL Policy Creation

Step 5: Obtain the entity_id from ‘Access’ section to be used later as Role_id in Volterra configuration

Figure: Obtaining Entity ID

Configure Vault for Secret Management in Volterra

Step 1: Select ‘system’ namespace. From the configuration, menu select ‘Manage’ and select ‘Site Management’ and choose ‘Secret Management’ from the options pane. Provide a name for the credentials, select API Certificate for credential type and provide a password to access the credential.

Figure: Create Secret Management

Step 2: Input Name and Provider Name.

Figure: Configure Secret Management

Step 3: Configure Access Information.

Select Authentication Parameters from available options. In this scenario, it is "Vault Authentication Parameters”

Figure: Configure Authentication Parameters

Select a parameter for authentication. Supported options are "AppRole Authentication” and "Token Authentication”

Figure: Configure Authentication Parameters

Provide RoleID or Token. RoleID refers to Vault role_id. If user choose Token Authentication, secret info can be used to encrypt the token in one of the four encryption patterns supported by Volterra.

Figure: Role ID - AppRole Authentication
Figure: Token Authentication

Provide Secret ID. Refers to token or approle. Secret info can be used to encrypt the token in one of the four encryption patterns supported by Volterra.

Figure: Secret ID

Provide TLS details of Vault.

Figure: Vault - TLS
Figure: Vault - TLS

Discover and Advertise Vault

Vault can be externally hosted on Azure, AWS, or Private Cloud. Follow Create and Advertise a Virtual Host form How-To section. The two specific configuration aspects that are different from traditional Advertise Policy and Virtual Host required for Vault are mentioned below:

Step 1: Advertise Policy: Select "Network Type” as "Virtual_Network_VER_INTERNAL” while adding advertise policy.

Figure: Advertise Policy - Vault

Step 2: Virtual Host: Select "Proxy Type” as "SMA_PROXY” while adding Virtual Host.

Figure: Virtual Host - Vault

Configure Application Virtual Host for Vault Access

This section shows a sample virtual host configuration with private key in TLS Parameters section obtained from external Vault.

We assume that an application virtual host has been created prior to starting this guide. Use Create and Advertise a Virtual Host as reference. Specific Virtual Host TLS Parameters configuration is explained below.

Step 1: Select "TLS Parameters” in Virtual Host

Figure: Configuring TLS Parameters

Step 2: Configure TLS Parameters

Figure: Configuring TLS Parameters

Step 3: Add TLS Certificate selecting TLS Certificates above

Figure: Certificate URL - Base64 Encoded

Step 4: Configure the Private Key.

  • Secret Info
    • Vault Secret in this scenario
  • Provider
    • Refers to Secret Management object created in "Create Secret Management - Volterra” section step 1 above. Provider name here should be the same
  • Location
    • This is the path/location of secret in Vault
  • Key
    • Name of the Key in Vault
  • Version
    • Refers to Version of Key in Vault
Figure: Private Key Configuration

Concepts


API References