Deploy HashiCorp Vault

Create the keys and certificates that are required to enable TLS for HashiCorp Vault . The steps to set up Vault with TLS enabled to secure your deployment are shown in the following sections. For more information, see HashiCorp Vault documentation.

You need to have a secret that is named as vault-ssl-certificate in the Vault namespace that contains the TLS key and certificate. You can create this secret manually or use the following steps to create the secret by using the certificate manager. The steps to deploy HashiCorp Vault on Red Hat® OpenShift® are shown in the following sections.

Create TLS certificates for HashiCorp Vault by using cert-manager

  1. Create the Vault namespace.
    1. Set the namespace variable where the Vault service runs.
      export NAMESPACE=vault
      
    2. Create the namespace in your cluster.
      oc create namespace ${NAMESPACE}
      
  2. Create a self-signed certificate.
    1. Import the following YAML configuration to create the self-signed CA issuers.
      apiVersion: cert-manager.io/v1
      kind: Issuer
      metadata:
        name: vault-self-tls
        namespace: <Vault-namespace>
      spec:
        selfSigned: {}
      
    2. Replace <Vault-namespace> with the actual namespace where Vault is deployed.
    3. Click Create. The self-signed certificate issuer is created.
  3. Create a TLS certificate that references the issuer.
    1. Import the following YAML to create the TLS certificate.
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: vault-tls
        namespace: <Vault-namespace>
      spec:
        secretName: vault-ssl-certificate
        isCA: true
        commonName: "vaultserver"
        issuerRef:
          name: vault-self-tls # This name needs to match the name of the issuer that was created previously
          kind: Issuer
        dnsNames:
        - "*.<Vault-namespace>"
        - "*.<Vault-namespace>.svc"
        - "*.<Vault-namespace>.svc.cluster.local"
        ipAddresses:
        - "127.0.0.1"
      
    2. Replace the <Vault-namespace> with the actual namespace where the vault is deployed.
    3. Click Create to create the CA certificate that references the self-signed issuer.
  4. Manage Vault TLS secrets.
    1. Ensure that the secret that is named vault-ssl-certificate exists in the Vault namespace. This secret includes the tls.key and tls.crt files.
    2. Create a secret named vault-ssl-certificate in the <ftm-namespace> to hold the TLS certificate for the Vault instance.
    3. Copy the tls.crt key and its value from the vault-ssl-certificate secret in the Vault namespace.
    4. Paste the copied tls.crt key and value into the vault-ssl-certificate secret in the FTM namespace.

Install HashiCorp Vault in an Red Hat OpenShift cluster

To install Vault by using Helm in your Red Hat OpenShift cluster, complete the following steps:
  1. Set up Helm and cluster access.
    1. Install the Helm by following the Helm documentation.
    2. Log in to your Red Hat OpenShift cluster by using the oc login command.
  2. Create a custom-values.yaml file with the following content to configure Vault during deployment.
    global:
      enabled: true
      tlsDisable: false
      openshift: true
    
    server:
      extraEnvironmentVars:
        VAULT_CACERT: /vault/userconfig/vault-server-tls/ca.crt
    
      volumes:
        - name: userconfig-vault-server-tls
          secret:
            defaultMode: 420
            secretName: vault-ssl-certificate
    
      volumeMounts:
        - mountPath: /vault/userconfig/vault-server-tls
          name: userconfig-vault-server-tls
          readOnly: true
    
      standalone:
        enabled: true
        config: |
          listener "tcp" {
            address = "[::]:8200"
            cluster_address = "[::]:8201"
            tls_cert_file = "/vault/userconfig/vault-server-tls/tls.crt"
            tls_key_file  = "/vault/userconfig/vault-server-tls/tls.key"
            tls_client_ca_file = "/vault/userconfig/vault-server-tls/ca.crt"
          }
    
          storage "file" {
            path = "/vault/data"
          }
    
  3. To install Vault on the cluster, run the following commands.
    helm repo add hashicorp https://helm.releases.hashicorp.com
    helm repo update
    helm upgrade -i vault hashicorp/vault -f custom-values.yaml -n vault --create-namespace
    
    Vault installs by using the default storage class on your cluster. For more information, see the Vault Configuration Documentation.
  4. Initialize Vault.
    1. Run the oc get pods command to check that the Vault pod vault-0 is up and running.
    2. Look for a pod named vault-0 with status Running as shown in the following sample output.
      vault-0    0/1     Running   0     47s
  5. To initialize Vault, run the following commands.
    oc -n vault exec -it vault-0 -- vault operator init
    The command generates five unseal keys and one initial root token. Save the five unseal keys and the initial root token securely; you need them for further commands.
  6. Unseal the Vault pod.
    1. Run the following command three times.
      oc -n vault exec -it vault-0 -- vault operator unseal
      
    2. Vault prompts you to enter an unseal key each time. Enter Unseal Key 1 on the first run. Enter Unseal Key 2 on the second run. Enter Unseal Key 3 on the third run.
    3. Verify that the vault-0 pod is in Ready state.
      vault-0   1/1   Running   0   14m
      
  7. Log in to Vault by using the initial root token.
    oc -n vault exec -it vault-0 -- vault login
    
  8. Enable the FTM secrets engine on the FTM path.
    oc -n vault exec -it vault-0 -- vault secrets enable -path=ftm -version=2 kv-v2
  9. Store FTM secrets in the Vault.
    1. Create a new secret entry with an FTM instance named ftm.
    2. Replace the placeholder values with your actual passwords and certificates (base64-encoded where needed).
      oc -n vault exec -it vault-0 -- vault kv put ftm/ftm \
        QMGR_PASSWORD="<password>" \
        J2SE_PROPERTIES_ENCR_PARAMS="-pass=<password>" \
        FXH_PASSWORD="<password>" \
        DUPDETECT_DB_USER="db2inst1" \
        DB_USER="db2inst1" \
        KSTORE_PASSWORD="<password>" \
        TSTORE_PASSWORD="<password>" \
        OIDC_CLIENT_SECRET="<password>" \
        DUPDETECT_DB_PASSWORD="<password>" \
        DB_PASSWORD="<password>" \
        SFTP_KEY="<base64_encoded_key>" \
        CA_CERT="<base64_encoded_cert>" \
        TLS_CERT="<base64_encoded_cert>" \
        TLS_KEY="<base64_encoded_key>" \
        MQ_CERT="<base64_encoded_cert>" \
        DB2_CERT="<base64_encoded_cert>"
      The full list of key names used by the FTM containers, which can be set in the vault secret file, can be found in Table 2. Key names for the FTM containers.
  10. Create a file named ftm-policy.hcl with the following contents. This file defines the policy that grants read and list access to values within the ftm path.
    path "ftm/data/*" {
      capabilities = ["list", "read"]
    }
    path "ftm/metadata/*" {
      capabilities = ["list", "read"]
    }
    
  11. To create the policy in Vault, run the following commands.
    cat ftm-policy.hcl | oc -n vault exec -it vault-0 -- vault policy write ftm_reader -
    

Setup Kubernetes authentication in Vault

FTM uses Kubernetes authentication to log in to Vault.
  1. Configure Kubernetes Authentication in Vault.
    1. To enable the Kubernetes authentication method, run the following command.
      oc -n vault exec -it vault-0 -- vault auth enable kubernetes
      
    2. Associate the FTM service account with the system:auth-delegator ClusterRole by applying the following YAML to your Red Hat OpenShift cluster. Replace ftm-demo with your <ftm-namespace>.
      Note: FTM runs with the default service account unless otherwise specified in the FTM custom resource.
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        name: vault-tokenreview-binding
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: system:auth-delegator
      subjects:
        - kind: ServiceAccount
          name: default
          namespace: ftm-demo
      
  2. To get the JWT token associated with the default service account used by FTM, run the following commands. Replace default if you use a different service account. The commands need to be run from the namespace that FTM is installed under.
    SA=default
    cat <<EOF | oc apply -f -
    kind: Secret
    apiVersion: v1
    metadata:
      name: ${SA}-token
      annotations:
        kubernetes.io/service-account.name: ${SA}
    type: kubernetes.io/service-account-token
    EOF
    VAULT_TOKENREVIEW_SA_TOKEN=$(oc get secret ${SA}-token -o jsonpath='{.data.token}' | base64 -d)
  3. To specify the configuration of the Kubernetes cluster, run the following command.
    oc -n vault exec -it vault-0 -- vault write auth/kubernetes/config \
      kubernetes_host="https://kubernetes.default.svc" \
      kubernetes_ca_cert="@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" \
      token_reviewer_jwt=$VAULT_TOKENREVIEW_SA_TOKEN
    
  4. Create a Vault Role to associate all service accounts in the FTM namespace with the ftm_reader policy. Replace ftm-demo with your <ftm-namespace>.
    oc -n vault exec -it vault-0 -- \
      vault write auth/kubernetes/role/ftm \
      bound_service_account_names=* \
      bound_service_account_namespaces=ftm-demo \
      audience="https://kubernetes.default.svc" \
      policies=ftm_reader