Integration with Hashicorp Vault¶
Before you start¶
Goal
- Understand how Hub integrates with vault.
- Setup the vault connection.
Prerequisites
Introduction¶
Altair SLC Hub provides integration with Hashicorp Vault in two ways:
- Configuration settings such as database connection passwords.
- Backing storage for Hub authentication domain credentials.
Vault Connection Configuration¶
Altair SLC Hub can authenticate to Vault using either AppRole authentication or AWS IAM authentication.
To configure the Vault connection, create a copy of the [etc directory]/config.d/vault.yaml
file and save it with a lexicographically greater name such as etc/config.d/vault_custom.yaml
. Then edit the configuration file to provide the address of the Vault
server, the role name and if necessary the authentication secret. The [etc directory]/config.d/vault.yaml
file
documents the necessary configuration properties.
If using AppRole authentication, the secret can be provided either directly in the secretID
property, or indirectly by placing
the secret in a file and setting the secretIDFile
property to the location of that file. In the
latter case Hub will watch for changes in that file and reload the authentication secret if
the contents of the file changes.
Verification¶
Verify Vault Credentials
- run the hubctl verify vault
To check the credentials for vault, run the following command:
hubctl verify vault
Configuration Settings¶
There are a number of places in the Hub configuration where connection credentials are required for external services:
- Relational database (PostgreSQL) for storage
- Object store
- LDAP or Active Directory for authentication or user account synchronization
- SMTP server for sending emails
The credentials for these can all be fetched from Vault rather than being set in the normal Hub configuration files.
General notes for using KV secrets engine¶
If using the Vault command line vault kv
command to populate Vault secrets, the
form of the secret path supplied in the Hub configuration parameters
is slightly different to the path used on the Vault command line kv
subcommand.
For example, if the following command is used to populate the vault secret:
vault kv put secret/hub-creds user=hub passcode=secret
secret/data/hub-creds
.
The path required by Hub is the same path that it is necessary to use with the generic
Vault read
command:
vault read secret/data/hub-creds
In general, Hub supports both the version 1 and version 2 KV secrets engines.