Skip to content

Latest commit

 

History

History
 
 

vault-hashicorp

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
src
src
 
 
README.md
README.md
 
 
build.gradle.kts
build.gradle.kts
 
 

README.md

HashiCorp Vault Extension

Please note: Using the HashiCorp vault it is possible to define multiple data entries per secret. Other vaults might allow only one entry per secret (e.g. Azure Key Vault).

Therefore, the HashiCorp vault extension only checks the 'content' data entry! Please use this knowledge when creating secrets the EDC should consume.

Configuration

Key Description Mandatory Default
edc.vault.hashicorp.url URL to connect to the HashiCorp Vault X
edc.vault.hashicorp.token Value for Token Authentication with the vault X
edc.vault.hashicorp.timeout.seconds Request timeout in seconds when contacting the vault 30
edc.vault.hashicorp.health.check.enabled Enable health checks to ensure vault is initialized, unsealed and active true
edc.vault.hashicorp.health.check.standby.ok Specifies if a vault in standby is healthy. This is useful when Vault is behind a non-configurable load balancer false
edc.vault.hashicorp.api.secret.path Path to the secret api /v1/secret
edc.vault.hashicorp.api.health.check.path Path to the health api /v1/sys/health

Health Check

The HashiCorp Vault Extension is able to run health checks. A health check is successful when the vault is initialized, active and unsealed. Successful health checks are logged with level FINE. Unsuccessful health checks will be logged with level WARNING.

Health Checks

If your project uses the Tractus-X HashiCorp Vault please set edc.vault.hashicorp.health.check.standby.ok to true. Otherwise, the health check would fail if the Vault is in standby.

# Logs of successful check with standby vault
[2022-08-01 14:48:37] [FINE   ] HashiCorp Vault HealthCheck successful. HashicorpVaultHealthResponsePayload(isInitialized=true, isSealed=false, isStandby=true, isPerformanceStandby=false, replicationPerformanceMode=disabled,replicationDrMode=disabled, serverTimeUtc=1659365317, version=1.9.2, clusterName=vault-cluster-4b193c26, clusterId=83fabd45-685d-7f8d-9495-18fab6f50d5e)

Example: Create & Configure an OAuth2 private key

Insert private key into HashiCorp Vault

cat << EOF | /bin/vault kv put secret/my-private-key content=-
        -----BEGIN PRIVATE KEY-----
        <PRIVATE KEY CONTENT>
        EOF

Configure key in the EDC

EDC_OAUTH_PRIVATE_KEY_ALIAS: my-private-key

or

edc.oauth.private.key.alias=my-privatekey

Example

#########
# Vault #
#########
edc.vault.hashicorp.url=https://vault.demo.tractus-x.net
# or even better configure token as k8 secret
edc.vault.hashicorp.token=<token>
edc.vault.hashicorp.api.secret.path=/v1/<tenant>/
edc.vault.hashicorp.health.check.standby.ok=true