Integrating with Vault
You can set up a HashiCorp Vault integration in a hybrid high availability disaster recovery (HADR) deployment.
To download a PDF file of the hybrid HADR deployment with Vault integration process, click here.
Vault is a secure data management solution that
stores and manages sensitive data in a confidential and compliant manner. It provides a unified
interface for managing various types of secrets, such as passwords, OAuth tokens, SSH keys, and
encryption keys, among others. Vault mitigates the risks that are associated with storing sensitive
data in plain text, ensuring that only authorized users and applications can access it. For more
information, see the Vault documentation 
.
IBM® Netcool® Operations Insight® on Red Hat® OpenShift® is designed to run on Red Hat OpenShift Container Platform. Application secrets, such as passwords and certificate key pairs, are traditionally stored in Kubernetes secrets on such platforms. Vault provides a unified interface to any secret and provides tight access control and recording for detailed audit logs.
The Kubernetes operators that install and manage the IBM Netcool Operations Insight on Red Hat OpenShift application provide an integration with Vault. The integration enables application secrets to be stored and retrieved from a Vault instance and removes the necessity to use Kubernetes secrets. IBM Netcool Operations Insight on Red Hat OpenShift operators write application secrets into Vault and the Vault Agent Injector reads secrets from Vault and injects them into the application containers.
HashiCorp Vault Agent Injector (VAI)
The injector is a Kubernetes mutating webhook controller that intercepts pod events and applies
mutations, if the pod specification contains specific annotations. Typical mutations include
injecting an init or sidecar container and adding shared volumes and volumeMounts. The VSI uses
annotations and configmaps to read secrets from Vault, render them, and inject them into shared
memory volumes within a pod. For more information, see Agent sidecar injector in the Vault documentation.
kind: ConfigMap
apiVersion: v1
metadata:
name: hybrid-bvt-cassandra-vault
namespace: evtmgr-operands
labels:
app.kubernetes.io/instance: hybrid-bvt
release: hybrid-bvt
data:
config-init.hcl: |
"auto_auth" = {
"method" = {
"config" = {
"role" = "noi-service-account"
}
"type" = "kubernetes"
"mount_path" = "auth/kubernetes"
"namespace" = "noi"
}
"sink" = {
"config" = {
"path" = "/home/vault/.token"
}
"type" = "file"
}
}
"exit_after_auth" = true
"pid_file" = "/home/vault/.pid"
"template" = {
"contents" = "{{- with secret \"secret/data/noi/hybrid-bvt-cassandra-auth-secret\" }}{{ index .Data.data \"username\" | base64Decode }}{{- end }}"
"destination" = "/opt/ibm/cassandra_auth/username"
}
"template" = {
"contents" = "{{- with secret \"secret/data/noi/hybrid-bvt-cassandra-auth-secret\" }}{{ index .Data.data \"password\" | base64Decode }}{{- end }}"
"destination" = "/opt/ibm/cassandra_auth/password"
}
"vault" = {
"address" = "https://vault-tls.vault-tls.svc:8200"
} | Annotation | Value | Description |
|---|---|---|
vault.xyz.com/agent-inject |
true | Configures whether injection is explicitly enabled or disabled for a pod. |
vault.xyz.com/agent-init-first |
true | Configures the pod to run the Vault Agent init container first. |
vault.xyz.com/agent-pre-populate-only |
true | Configures whether an init container is the only injected container. If true, no sidecar container will be injected at runtime of the pod. |
vault.xyz.com/agent-configmap |
ConfigMap name | Name of the configuration map where the Vault Agent configuration file and templates can be found. |
vault.xyz.com/agent-inject-secret-SECRETNAME |
Vault secret path | Configures Vault Agent to retrieve the secrets from Vault required by the container. |
vault.xyz.com/secret-volume-path-SECRETNAME |
Secret mount path within pod | Configures where on the filesystem a secret will be rendered. |
spec.helmValuesNOI.global.vault.vsi.annotations parameter in the custom resource,
for example:global.vault.vsi.annotations: |
vault.xyz.com/log-level: info
vault.xyz.com/log-format: standard Setting up a Vault integration
Complete the following steps to set up a Vault integration.
- Before you integrate Vault in a hybrid HADR deployment, specific prerequisites must be in place.
Vault roles, policies and capabilities must be configured. For more information, see Vault prerequisites.
- Install and configure a Vault instance.
- Configure Kubernetes authentication as a Vault administrator.
- Configure a kv-v2 secret store (with a name and path) within the Vault instance as a Vault administrator.
- The IBM Netcool Operations Insight on Red Hat OpenShift operator authenticates with the Vault role and Kubernetes service account token (SAT). The operator writes secrets to Vault.
- Install and configure the agent sidecar injector. The agent sidecar injector authenticates with the Vault role and Kubernetes SAT. The agent sidecar injector reads secrets from Vault.
- After the prerequisites are in place, you can install or upgrade your hybrid HADR deployment.
For more information, see Setting up a high availability disaster recovery hybrid deployment and Upgrading and rolling back on a hybrid architecture.Note: Before you upgrade, you must set the
managedByUserlabel tofalsefor the Vault TLS configmap. For more information, see Vault TLS configmap. - Complete all postupgrade tasks. For more information, see Postupgrade task.
- Ensure that all secrets are in place. For more information, see Kubernetes secrets.
- Migrate your PostgreSQL data to a new namespace. For more information, see Migrating PostgreSQL data to a new cluster in a new namespace.
- Then, set up your Vault integration. For more information, see Setting up a Vault integration.