Integrating MetalSoft with Hashicorp Vault
To integrate MetalSoft with Hashicorp Vault, please follow these instructions if Vault was not enabled as part of the original installation.
Required permissions for metalsoft vault user are:
path "metalsoft/*" { capabilities = [ "create", "read", "update", "patch" ,"delete", "list" ]}path "auth/token/renew-self" { capabilities = ["update"]}
path "auth/token/lookup-self" { capabilities = ["read"]}
path "auth/token/revoke-self" { capabilities = ["update"]}Apply default secret and configmap:
kubectl -n $ns apply -f scripts/vault-secrets.yamlOnce Vault is unsealed, run ./scripts/vault_start_agent.sh, which will:
- enable Vault approle
- overwrite vault-metalsoft-policy.hcl with capabilities for specific paths
- apply policies for Metalsoft
- set approle role_id and secret_id
- update and apply vault-secrets.yaml
Usage: scripts/vault_start_agent.sh <namespace> [path/to/vault-secrets.yaml]Once the above is completed, few of the manifests will need to be updated to use the Vault agent:
# grep enable_vault *auth-deployment.yaml: ### NOTE: enable_vaultauth-deployment.yaml: ### NOTE: enable_vaultauth-deployment.yaml: ### NOTE: enable_vaultconfigmaps.yaml: ### NOTE: enable_vaultinventory-deployment.yaml: ### NOTE: enable_vaultinventory-deployment.yaml: ### NOTE: enable_vaultinventory-deployment.yaml: ### NOTE: enable_vaulttemplate-deployment.yaml: ### NOTE: enable_vaultThese sections need to be uncommented, and YAML files applied to k8s