Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing.

In Our case we will be storing all the agent(tools) related secrets like username, password, accesstoken etc to vault and make sure it is not persisted anywhere other than vault.

If you are migrating from release_6.2 to release_6.3, please run following query in PostgreSQL "insights" database.

update public.agent_configuration set is_vault_enable='FALSE';

Installation of Vault

Vault is distributed as a binary package for all supported platforms and architectures which can be downloaded from https://www.vaultproject.io/downloads.html
Vault runs as a single binary named vault
Unzip the downloaded folder and add it to PATH.
- Linux -
  - ln -s <vault-binary-file-path> /usr/bin/vault
  - ln -s <vault-binary-file-path> /usr/local/bin/vault
- Windows
  - Add to Environment Variable PATH.
Restart the command prompt and verify it by giving the command vault.

Configuring Vault

Reference - https://www.vaultproject.io/docs/configuration/
In order to run Vault in prodution mode we need to customize vault using hashicorp language.
Below is the Insights Production minimal config file with .hcl extension that helps to bring vault in prod mode. We can add more configs based on the needs from the above referenced link.
- ui = true - Enables vault UI
  backend "file" {
  path = "vault-prod" - stores all secrets as a file.
  }
  #non-loopback interface
  listener "tcp" {
  address = "<ipaddress>:<port>" - starts the vault in the below ip and port
  tls_disable = 1
  }
  # Advertise the non-loopback interface
  api_addr = "http://<ipaddress>:<port>"
  cluster_addr="http://<ipaddress>:<port>"

Starting Vault

Vault can be started in 2 modes
1. Development mode
  1. This is useful for local development and all secrets are stored locally.
  2. Command -

vault server -dev

c. Starts the local vault in port 8200 . we can change the ip and port through the command -

vault server -dev -dev-listen-address=<ipaddress>:<port> -config=config.hcl

d. Check the status of vault with the command

vault status

2.Production mode

a. Command -

nohup vault server -config=config-prod.hcl > vault-prod.log &
b. Initialize and unseal vault using tokens.
vault operator init
vault operator unseal - Execute unseal command until the parameter "selead" become false.
c. Login using roottoken via command prompt
vault login <root-token>
d.Reference below for Insights prod setup.

Integration with Insights

Configuration:
1. Server-config.json
  1. "vault":
    {
    "vaultEndPoint": "http://localhost:8200/v1/", - Vault End point and its version.
    "secretEngine": "secret", - Secret Engine Name
    "vaultToken": "<root-token>" - Root token of vault.
    }
  2. Each Agent config.json is added with a new key called "agentSecretDetails" . This holds a array of secrets to be stored in vault.
    1. for eg - In git agent config.json we will have , agentSecretDetails :[ "accessToken"]
    2. In Jira agent config.json we will have , agentSecretDetails:["username","passwd"]
  3. Again the keys inside array are keys already present in config.json file. In future if we want to add few more keys to vault then we can simply edit the config.json add extra keys to it.For example , PivotalTracker currently has username,passwd as secrets if we need to add accesstoken to it we can do by agentSecretDetails:["username","passwd","accessToken]
Usage:
- Registering Agent
  - Make the slider ON for vault in other section and register the agent by giving the creds for the first time.
  - If you try to edit the the fields mentioned in "agentSecretDetails" section in config.json, those fields will turn into **** hiding the creds which are stored in vault . But if you need to edit it we can override this content which will update the vault.

Vault API for Read/write

Permission and privilege to Vault

Not everyone can access vault since the secrets details should be modified and not viewed by all.
In Order to achieve this vault provides capabilities to create roles and policies.
Step by step creation of policies and mapping it to roles are mentioned in attachment<Vault-Insights-Prod.txt>

Roles creation and policies are onetime setup .

For testing purpose we need zero configuration and can be started in Dev mode.

Reference links:

https://learn.hashicorp.com/vault/operations/ops-deployment-guide

https://learn.hashicorp.com/vault/getting-started/apis

https://www.vaultproject.io/api/secret/kv/kv-v2.html

https://www.vaultproject.io/docs/secrets/

https://www.vaultproject.io/docs/configuration/listener/tcp.html

https://learn.hashicorp.com/vault/getting-started/deploy#initializing-the-vault

https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing

Security - FIPS 140-2 & Cryptographic Compliance : https://www.hashicorp.com/products/vault/data-protection

https://www.vaultproject.io/docs/concepts/policies.html#create

Back to Top

Browser not supported