Deploy HashiCorp Vault
Create the keys and certificates that are required to enable TLS for HashiCorp Vault . The steps to set up Vault with TLS enabled to secure your deployment are shown in the following sections. For more information, see HashiCorp Vault documentation.
You need to have a secret that is named as vault-ssl-certificate in the Vault namespace
that contains the TLS key and certificate. You can create this secret manually or use the following steps to
create the secret by using the certificate manager. The steps to deploy
HashiCorp Vault
on
Red Hat®
OpenShift® are shown in the following sections.
Create TLS certificates for HashiCorp Vault by using cert-manager
- Create the Vault namespace.
- Set the namespace variable where the Vault service runs.
export NAMESPACE=vault - Create the namespace in your cluster.
oc create namespace ${NAMESPACE}
- Set the namespace variable where the Vault service runs.
- Create a self-signed certificate.
- Import the following YAML configuration to create the self-signed CA
issuers.
apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: vault-self-tls namespace: <Vault-namespace> spec: selfSigned: {} - Replace
<Vault-namespace>with the actual namespace where Vault is deployed. - Click Create. The self-signed certificate issuer is created.
- Import the following YAML configuration to create the self-signed CA
issuers.
- Create a TLS certificate that references the issuer.
- Import the following YAML to create the TLS certificate.
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: vault-tls namespace: <Vault-namespace> spec: secretName: vault-ssl-certificate isCA: true commonName: "vaultserver" issuerRef: name: vault-self-tls # This name needs to match the name of the issuer that was created previously kind: Issuer dnsNames: - "*.<Vault-namespace>" - "*.<Vault-namespace>.svc" - "*.<Vault-namespace>.svc.cluster.local" ipAddresses: - "127.0.0.1" - Replace the
<Vault-namespace>with the actual namespace where the vault is deployed. - Click Create to create the CA certificate that references the self-signed issuer.
- Import the following YAML to create the TLS certificate.
- Manage Vault TLS secrets.
- Ensure that the secret that is named
vault-ssl-certificateexists in the Vault namespace. This secret includes thetls.keyandtls.crtfiles. - Create a secret named
vault-ssl-certificatein the<ftm-namespace>to hold the TLS certificate for the Vault instance. - Copy the
tls.crtkey and its value from thevault-ssl-certificatesecret in the Vault namespace. - Paste the copied
tls.crtkey and value into thevault-ssl-certificatesecret in the FTM namespace.
- Ensure that the secret that is named
Install HashiCorp Vault in an Red Hat OpenShift cluster
To install Vault by using Helm in your Red Hat
OpenShift cluster, complete the following steps:
- Set up Helm and cluster access.
- Install the Helm by following the Helm documentation.
- Log in to your Red Hat
OpenShift cluster by using the
oc logincommand.
- Create a
custom-values.yamlfile with the following content to configure Vault during deployment.global: enabled: true tlsDisable: false openshift: true server: extraEnvironmentVars: VAULT_CACERT: /vault/userconfig/vault-server-tls/ca.crt volumes: - name: userconfig-vault-server-tls secret: defaultMode: 420 secretName: vault-ssl-certificate volumeMounts: - mountPath: /vault/userconfig/vault-server-tls name: userconfig-vault-server-tls readOnly: true standalone: enabled: true config: | listener "tcp" { address = "[::]:8200" cluster_address = "[::]:8201" tls_cert_file = "/vault/userconfig/vault-server-tls/tls.crt" tls_key_file = "/vault/userconfig/vault-server-tls/tls.key" tls_client_ca_file = "/vault/userconfig/vault-server-tls/ca.crt" } storage "file" { path = "/vault/data" } - To install Vault on the cluster, run the following
commands.
Vault installs by using the default storage class on your cluster. For more information, see the Vault Configuration Documentation.helm repo add hashicorp https://helm.releases.hashicorp.com helm repo update helm upgrade -i vault hashicorp/vault -f custom-values.yaml -n vault --create-namespace - Initialize Vault.
- Run the
oc get podscommand to check that the Vault podvault-0is up and running. - Look for a pod named
vault-0with statusRunningas shown in the following sample output.vault-0 0/1 Running 0 47s
- Run the
- To initialize Vault, run the following
commands.
The command generates five unseal keys and one initial root token. Save the five unseal keys and the initial root token securely; you need them for further commands.oc -n vault exec -it vault-0 -- vault operator init - Unseal the Vault pod.
- Run the following command three
times.
oc -n vault exec -it vault-0 -- vault operator unseal - Vault prompts you to enter an unseal key each time. Enter
Unseal Key 1on the first run. EnterUnseal Key 2on the second run. EnterUnseal Key 3on the third run. - Verify that the vault-0 pod is in Ready state.
vault-0 1/1 Running 0 14m
- Run the following command three
times.
- Log in to Vault by using the initial root
token.
oc -n vault exec -it vault-0 -- vault login - Enable the FTM secrets engine on the FTM
path.
oc -n vault exec -it vault-0 -- vault secrets enable -path=ftm -version=2 kv-v2 - Store FTM secrets in the Vault.
- Create a new secret entry with an FTM instance named
ftm. - Replace the placeholder values with your actual passwords and certificates (base64-encoded where
needed).
The full list of key names used by the FTM containers, which can be set in the vault secret file, can be found in Table 2. Key names for the FTM containers.oc -n vault exec -it vault-0 -- vault kv put ftm/ftm \ QMGR_PASSWORD="<password>" \ J2SE_PROPERTIES_ENCR_PARAMS="-pass=<password>" \ FXH_PASSWORD="<password>" \ DUPDETECT_DB_USER="db2inst1" \ DB_USER="db2inst1" \ KSTORE_PASSWORD="<password>" \ TSTORE_PASSWORD="<password>" \ OIDC_CLIENT_SECRET="<password>" \ DUPDETECT_DB_PASSWORD="<password>" \ DB_PASSWORD="<password>" \ SFTP_KEY="<base64_encoded_key>" \ CA_CERT="<base64_encoded_cert>" \ TLS_CERT="<base64_encoded_cert>" \ TLS_KEY="<base64_encoded_key>" \ MQ_CERT="<base64_encoded_cert>" \ DB2_CERT="<base64_encoded_cert>"
- Create a new secret entry with an FTM instance named
- Create a file named
ftm-policy.hclwith the following contents. This file defines the policy that grants read and list access to values within theftmpath.path "ftm/data/*" { capabilities = ["list", "read"] } path "ftm/metadata/*" { capabilities = ["list", "read"] } - To create the policy in Vault, run the following
commands.
cat ftm-policy.hcl | oc -n vault exec -it vault-0 -- vault policy write ftm_reader -
Setup Kubernetes authentication in Vault
FTM uses Kubernetes authentication to log in to Vault.
- Configure Kubernetes Authentication in Vault.
- To enable the Kubernetes authentication method, run the following
command.
oc -n vault exec -it vault-0 -- vault auth enable kubernetes - Associate the FTM service account with the
system:auth-delegatorClusterRole by applying the following YAML to your Red Hat OpenShift cluster. Replaceftm-demowith your<ftm-namespace>.Note: FTM runs with the default service account unless otherwise specified in the FTM custom resource.apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: vault-tokenreview-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: default namespace: ftm-demo
- To enable the Kubernetes authentication method, run the following
command.
- To get the JWT token associated with the default service account used by FTM, run the following commands. Replace
defaultif you use a different service account. The commands need to be run from the namespace that FTM is installed under.SA=default cat <<EOF | oc apply -f - kind: Secret apiVersion: v1 metadata: name: ${SA}-token annotations: kubernetes.io/service-account.name: ${SA} type: kubernetes.io/service-account-token EOF VAULT_TOKENREVIEW_SA_TOKEN=$(oc get secret ${SA}-token -o jsonpath='{.data.token}' | base64 -d) - To specify the configuration of the Kubernetes cluster, run the following
command.
oc -n vault exec -it vault-0 -- vault write auth/kubernetes/config \ kubernetes_host="https://kubernetes.default.svc" \ kubernetes_ca_cert="@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" \ token_reviewer_jwt=$VAULT_TOKENREVIEW_SA_TOKEN - Create a Vault Role to associate all service accounts in the FTM namespace with
the
ftm_readerpolicy. Replaceftm-demowith your<ftm-namespace>.oc -n vault exec -it vault-0 -- \ vault write auth/kubernetes/role/ftm \ bound_service_account_names=* \ bound_service_account_namespaces=ftm-demo \ audience="https://kubernetes.default.svc" \ policies=ftm_reader