HashiCorp Vault
HashiCorp Vault can be configured with environment variables or with a Vault entity.
Configuration via environment variables
Configure the following environment variables on your Kong Gateway data plane:
Static Vault token authentication:
export KONG_VAULT_HCV_PROTOCOL=<protocol(http|https)>
export KONG_VAULT_HCV_HOST=<hostname>
export KONG_VAULT_HCV_PORT=<portnumber>
export KONG_VAULT_HCV_MOUNT=<mountpoint>
export KONG_VAULT_HCV_KV=<v1|v2>
export KONG_VAULT_HCV_AUTH_METHOD=token
export KONG_VAULT_HCV_TOKEN=<tokenstring>
Kubernetes service account role authentication:
export KONG_VAULT_HCV_PROTOCOL=<protocol(http|https)>
export KONG_VAULT_HCV_HOST=<hostname>
export KONG_VAULT_HCV_PORT=<portnumber>
export KONG_VAULT_HCV_MOUNT=<mountpoint>
export KONG_VAULT_HCV_KV=<v1|v2>
export KONG_VAULT_HCV_AUTH_METHOD=kubernetes
export KONG_VAULT_HCV_KUBE_ROLE=<rolename>
You can also store this information in an entity.
Configuration via vaults entity
The Vault entity can only be used once the database is initialized. Secrets for values that are used before the database is initialized can’t make use of the Vaults entity.
Admin API
Declarative configuration
cURL
HTTPie
curl -i -X PUT http://HOSTNAME:8001/vaults/my-hashicorp-vault \
--data name="hcv" \
--data description="Storing secrets in HashiCorp Vault" \
--data config.protocol="https" \
--data config.host="localhost" \
--data config.port="8200" \
--data config.mount="secret" \
--data config.kv="v2" \
--data config.token="<mytoken>"
http -f PUT :8001/vaults/my-hashicorp-vault \
name="hcv" \
description="Storing secrets in HashiCorp Vault" \
config.protocol="https" \
config.host="localhost" \
config.port="8200" \
config.mount="secret" \
config.kv="v2" \
config.token="<mytoken>"
Result:
{
"config": {
"host": "localhost",
"kv": "v2",
"mount": "secret",
"port": 8200,
"protocol": "https",
"token": "<mytoken>"
},
"created_at": 1645008893,
"description": "Storing secrets in HashiCorp Vault",
"id": "0b43d867-05db-4bed-8aed-0fccb6667837",
"name": "hcv",
"prefix": "my-hashicorp-vault",
"tags": null,
"updated_at": 1645008893
}
Secrets management is supported in decK 1.16 and later.
Add the following snippet to your declarative configuration file:
_format_version: "3.0"
vaults:
- config:
host: localhost
kv: v2
mount: secret
port: 8200
protocol: https
token: <mytoken>
description: Storing secrets in HashiCorp Vault
name: hcv
prefix: my-hashicorp-vault
Examples
For example, let’s say you’ve configured a HashiCorp Vault with a path of secret/hello
and a key=value pair of foo=world
:
vault kv put secret/hello foo=world
Key Value
--- -----
created_time 2022-01-15T01:40:03.740833Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
Access these secrets like this:
{vault://hcv/hello/foo}
Or, if you configured an entity:
{vault://my-hashicorp-vault/hello/foo}
Vault configuration options
Use the following configuration options to configure the vaults entity through any of the supported tools:
- Admin API
- Declarative configuration
- Kong Manager
- Konnect
Configuration options for a HashiCorp vault in Kong Gateway:
Parameter | Field name | Description |
---|---|---|
vaults.config.protocol | config-protocol (Kong Manager) Protocol (Konnect) | The protocol to connect with. Accepts one of http or https . |
vaults.config.host | config-host (Kong Manager) Host (Konnect) | The hostname of your HashiCorp vault. |
vaults.config.port | config-port (Kong Manager) Port (Konnect) | The port number of your HashiCorp vault. |
vaults.config.mount | config-mount (Kong Manager) Mount (Konnect) | The mount point. |
vaults.config.kv | config-kv (Kong Manager) Kv (Konnect) | The secrets engine version. Accepts v1 or v2 . |
vaults.config.token | config-token (Kong Manager) Token (Konnect) | A token string. |
vaults.config.namespace | namespace | Namespace for the Vault. Vault Enterprise requires a namespace to successfully connect to it. |
vaults.config.auth_method | auth-method | Defines the authentication mechanism when connecting to the Hashicorp Vault service. Accepted values are: token , or kubernetes . |
vaults.config.kube_role | kube-role | Defines the HashiCorp Vault role for the Kubernetes service account of the running pod. keyring_vault_auth_method must be set to kubernetes for this to activate. |
Common options:
Parameter | Field name | Description |
---|---|---|
vaults.description optional | Description | An optional description for your vault. |
vaults.name | Name | The type of vault. Accepts one of: env , gcp , aws , or hcv . Set hcv for HashiCorp Vault. |
vaults.prefix | Prefix | The reference prefix. You need this prefix to access secrets stored in this vault. For example, {vault://my-hcv-vault/<some-secret>} . |