Storing Gloo Edge secrets in HashiCorp Vault
Use HashiCorp Vault Key-Value storage as a backing store for Gloo Edge secrets.
When Gloo Edge boots, it reads the gloo.solo.io.Settings
custom resource named default
in the gloo-system
namespace of your Kubernetes cluster to receive the proxy configuration for the gateway. By default, this configuration directs Gloo Edge to connect to and use Kubernetes as the secret store for your environment. If you want Gloo Edge to read and write secrets using a HashiCorp Vault instance instead of storing secrets directly in your Kubernetes cluster, you can edit the Settings custom resource to point the gateway proxy to Vault.
Want to use Vault with Gloo Edge outside of Kubernetes instead? You can provide your settings file to Gloo Edge inside of a configuration directory when you run Gloo Edge locally
Customizing the Gloo Edge settings file
Edit the default
settings resource so Gloo Edge reads and writes secrets using HashiCorp Vault.
Before you begin: Set up a Vault instance either in your Gloo Edge cluster or externally. Your instance must be routable on an address that you provide to Gloo Edge in the following steps, such as http://vault:8200
.
-
Edit the
default
settings resource.kubectl --namespace gloo-system edit settings default
-
Make the following changes to the resource.
- Remove the existing
kubernetesSecretSource
,vaultSecretSource
, ordirectorySecretSource
field, which directs the gateway to use secret stores other than Vault. - Add the
secretOptions
section and define a Vault secret source as shown in this guide. Optionally, a Kubernetes and/or a Directory secret source can also be specified.If you specify both a Kubernetes and Vault secret source in your Settings resource, the Kubernetes secret is looked up first. Keep in mind that when you specify multiple secret sources, the name and namespace of each secret must be unique to avoid unanticipated behavior. - Add the
refreshRate
field to configure the polling rate at which we watch for changes in Vault secrets and the local filesystem of where Gloo Edge runs.
apiVersion: gloo.solo.io/v1 kind: Settings metadata: name: default namespace: gloo-system spec: discoveryNamespace: gloo-system gateway: validation: alwaysAccept: true proxyValidationServerAddr: gloo:9988 gloo: xdsBindAddr: 0.0.0.0:9977 kubernetesArtifactSource: {} kubernetesConfigSource: {} # Delete or comment out the existing *SecretSource field #kubernetesSecretSource: {} secretOptions: sources: # Enable secrets to be read from and written to HashiCorp Vault - vault: # Add the address that your Vault instance is routeable on address: http://vault:8200 accessToken: root # Add the refresh rate for polling config backends for changes # This setting is used for watching vault secrets and by other resource clients refreshRate: 15s
- Remove the existing
For the full list of options for Gloo Edge Settings, including the ability to set auth/TLS parameters for Vault, see the v1.Settings API reference .
An example using AWS IAM auth might look like the following:
apiVersion: gloo.solo.io/v1
kind: Settings
metadata:
name: default
namespace: gloo-system
spec:
discoveryNamespace: gloo-system
gateway:
validation:
alwaysAccept: true
proxyValidationServerAddr: gloo:9988
gloo:
xdsBindAddr: 0.0.0.0:9977
kubernetesArtifactSource: {}
kubernetesConfigSource: {}
# Delete or comment out the existing *SecretSource field
#kubernetesSecretSource: {}
secretOptions:
sources:
# Enable secrets to be read from and written to HashiCorp Vault
- vault:
# Address that your Vault instance is routeable on
address: http://vault:8200
aws:
vaultRole: vault-role
region: us-east-1
iamServerIdHeader: vault.example.com
accessKeyId: your-aws-iam-access-key-id
secretAccessKey: your-aws-iam-secret-access-key
sessionToken: your-aws-iam-session-token
# refresh rate for polling config backends for changes
# this is used for watching vault secrets and by other resource clients
refreshRate: 15s
requestTimeout: 0.5s
Writing secret objects to Vault
After configuring Vault as your secret store, be sure to write any Vault secrets by using Gloo Edge-style YAML. You can either use the glooctl create secret
command or manually write secrets.
Using glooctl
To get started writing Gloo Edge secrets for use with Vault, you can use the glooctl create secret
command. A benefit of using glooctl
for secret creation is that the secret is created in the path that Gloo Edge watches, secret/root/gloo.solo.io/v1/gloo-system/tls-secret
.
For example, you might use the following command to create a secret in Vault.
glooctl create secret tls \
--certchain /path/to/cert.pem \
--privatekey /path/to/key.pem
--name tls-secret \
--use-vault \
--vault-address http://vault:8200/ \
--vault-token "$VAULT_TOKEN"
This command creates a TLS secret with the following value:
{
"metadata": {
"name": "tls-secret",
"namespace": "gloo-system"
},
"tls": {
"certChain": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----\n",
"privateKey": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
}
}
You can also include the -o json
flag in the command for JSON-formatted secrets, which can be manually stored as values in Vault.
Manually writing secrets
Instead of using the glooctl create secret
command to create the Vault secret and automatically store the secret key in your Vault instance, you can use your own configuration file to create the secret. Note that you must use the same YAML format for the secret so that Gloo Edge can read the secret. For more information, see the v1.Secret API reference
.
If you manually write Gloo Edge secrets, you must store them in Vault with the correct Vault key names, which adhere to the following format:
<secret_engine_path_prefix>/<gloo_root_key>/<resource_group>/<group_version>/Secret/<resource_namespace>/<resource_name>
For example, if you want to create a secret named tls-secret
in the gloo-system
namespace, store the secret file in Vault on the path secret/root/gloo.solo.io/v1/Secret/gloo-system/tls-secret
.
Path | Description |
---|---|
<secret_engine_path_prefix> |
The pathPrefix configured in the Settings vaultSecretSource . Defaults to secret . Note that the default path for the kv secrets engine in Vault is kv when Vault is not run with -dev . |
<gloo_root_key> |
The rootKey configured in the Settings vaultSecretSource . Defaults to gloo |
<resource_group> |
The API group/proto package in which resources of the given type are contained. The Gloo Edge secrets
custom resource has the resource group gloo.solo.io . |
<group_version> |
The API group version/go package in which resources of the given type are contained. For example, Gloo Edge secrets
have the resource group version v1 . |
<resource_namespace> |
The namespace in which the secret exists. This must match the metadata.namespace of the resource YAML. |
<resource_name> |
The name of the secret. This must match the metadata.name of the resource YAML, and should be unique for all secrets within a given namespace. |
You can also use the --dry-run
flag in the glooctl secret create
command to generate your secret in a YAML file.