MigrationOfServerConfigCredentialsToVault

Owned by Gaurav (Unlicensed)
Dec 21, 2022
4 min read

Migration of Server Config Credentials to Vault

 

Overview

In order to store all application credential in secret way, now store your server config inside vault which is backup by postgres. Application also provide facility to update all configuration using UI.

 

Application side configuration

Installing fresh Insights application

With Vault

  1. Configure Vault with Storage Engine as postgres, all configuration steps mention in Annexure A

  2. Add following minimum configuration inside Insights INSIGHTS_HOME\.InSights\server-config.json

{

"vault": {

"isVaultEnable": true,

"vaultEndPoint": "http://10.10.90.42:8200/v1",

"secretEngine": "database-insights",

"vaultToken": "<vault root token>"

},

"grafana":{

"grafanaEndpoint":"http://localhost:3000"

},

"trustedHosts":[

"localhost"

]

}

  1. Make sure that isVaultEnable = true with correct vault token, Vault is started and unsealed

  2. Start Tomcat application

  3. Login Insights UI with basic grafana credential using user ‘admin’ most probably password is ‘admin’

  4. On successful login, It will load server configuration on UI, do the respective changes

  5. Save the changes, It will store all your configuration in vault in encrypted format

  6. If you want to edit any field in server configuration then use Insights UI

  7. With Native Grafana authentication there is no need to restart tomcat, it automatically loads server config changes.

  8. In case of SSO, initial login will be with initial grafana credential, do respective changes and restart tomcat.

 

Without Vault

Either configuration start with minimum configuration mention below

{

"vault": {

"isVaultEnable": false,

"vaultEndPoint": "",

"secretEngine": "",

"vaultToken": ""

},

"grafana":{

"grafanaEndpoint":"http://localhost:3000"

},

"trustedHosts":[

"localhost"

]

}

  1. Start Tomcat application

  2. Login Insights UI with basic grafana credential using user ‘admin’ most probably password is ‘admin’

  3. On successful login, It will load server configuration on UI, do the respective changes

  4. Server config changes store in file system with unencrypted format

  5. With Native Grafana authentication there is no need to restart tomcat, it automatically loads server config changes.

  6. In case of SSO, initial login will be with initial grafana credential, do respective changes and restart tomcat.

  7. Another way is to configure server config directly on file system INSIGHTS_HOME\.InSights\server-config.json and restart tomcat

 

Upgrade Insights Application

With Vault

  1. Configure Vault with Storage Engine as “postgres” all configuration steps mention in Annexure A

  2. Backup your existing server config json file

  3. Add following minimum configuration inside Insights INSIGHTS_HOME\.InSights\server-config.json

{

"vault": {

"isVaultEnable": true,

"vaultEndPoint": "http://10.10.90.42:8200/v1",

"secretEngine": "database-insights",

"vaultToken": "<vault root token>"

},

"grafana":{

"grafanaEndpoint":"http://localhost:3000"

},

"trustedHosts":[

"localhost"

]

}

  1. Make sure that isVaultEnable = true with correct vault token, Vault is started and unsealed

  2. Start Tomcat application

  3. Login Insights UI with basic grafana credential using user ‘admin’ most probably password is ‘admin’

  4. On successful login, It will load server configuration on UI, do the respective changes copy detai from your backup server config

  5. Save the changes, It will store all your configuration in vault in encrypted format

  6. If you want to edit any field in server configuration then use Insights UI

  7. With Native Grafana authentication there is no need to restart tomcat, it automatically loads server config changes.

  8. In case of SSO, initial login will be with initial grafana credential, do respective changes and restart tomcat.

Agent Changes with Vault

If existing application have agent configured with vault then it is mandatory to upgrade it using following steps

  1. Login to Insights UI , go to Agent Configuration

  2. Changes Agent version >= 7.3

  3. Update all your secret again so that it will store in new vault

  4. Restart agent

  5. New Agent Registration will affect with these changes

Without Vault configuration

Upgrade to version >= 7.3 without vault, It will not affect anything, It is routine update.

 

 

 

 

 

 

 

 

Annexure A

Vault Changes With postgres DB connection

To configure vault with storage as “postgresql” and search engine as “database” do the following configuration.

Create new vault_config.hcl add following configuration in it

storage "postgresql" {

connection_url = "postgresql://grafana:grafana@localhost:5432/insightsvault?sslmode=disable"

}

ui = true

log_level="trace"

plugin_directory="C:\\Insights\\vault_1.5.5_windows_amd64\\plugins"

listener "tcp" {

address = "10.10.90.42:8200"

tls_disable = 1

}

api_addr = "http://127.0.0.1:8200"

cluster_addr = "http://10.10.90.42:8201"

raw_storage_endpoint=true

 

  1. Create one plugins directory inside vault and mention “plugin_directory” path inside vault_config.hcl

  2. Download latest plugin from https://github.com/hashicorp/vault/tree/master/plugins/database/postgresql and store \ postgresql-database-plugin folder inside plugin_directory path

  3. Run following command from command prompt to install plugin in vault

vault plugin register -sha256=d3f0a8be02f6c074cf38c9c99d4d04c9c6466249 auth postgresql-database-plugin

Enable database Secrets Engine plugins:

vault secrets enable database

 

Default path is “database” If you want to change path then run following command

vault secrets enable -path=client1/database

 

  1. Create new Database in vault name as “insightsvault

  2. Add following date table inside new database

CREATE TABLE vault_kv_store (

parent_path TEXT COLLATE "C" NOT NULL,

path TEXT COLLATE "C",

key TEXT COLLATE "C",

value BYTEA,

CONSTRAINT pkey PRIMARY KEY (path, key)

);

 

CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);

 

CREATE TABLE vault_ha_locks (

ha_key TEXT COLLATE "C" NOT NULL,

ha_identity TEXT COLLATE "C" NOT NULL,

ha_value TEXT COLLATE "C",

valid_until TIMESTAMP WITH TIME ZONE NOT NULL,

CONSTRAINT ha_key PRIMARY KEY (ha_key)

);

 

 

Configure Vault with the proper plugin and connection information

vault write database/config/insightsvault plugin_name=postgresql-database-plugin allowed_roles="*" connection_url="postgresql://{{username}}:{{password}}@localhost:5432?sslmode=disable" username="grafana" password="grafana"

Configure a role that maps a name in Vault to an SQL statement to execute to create the database credential

vault write database/roles/insightsvaultrole db_name=insightsvault creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" default_ttl="1h" max_ttl="24h"

 

make sure that your db_name and database/config/<name> will be same

Call following POST API store data

http://<host>:<port>/v1/sys/raw/<secret Engine from server config>/<clientId>/ serverConfig

Ex:

http://

 

This API need two header X-Vault-Token and host, X-Vault-Token is root token

 

Call following GET API to fetch data from vault

http://<host>:<port>/v1/sys/raw/<secret Engine from server config>/<clientId>/ serverConfig

Ex:

http://

 

This API need two header X-Vault-Token and host, X-Vault-Token is root token

Create new user name and password to login to vault API rather then using root token

 

©2021 Cognizant, all rights reserved. US Patent 10,410,152