HashiCorp Secrets Config Source
The HashiCorp Secrets Config Source takes configuration properties from HashiCorp Vault. You can learn more about HashiCorp on: https://www.vaultproject.io/
Prerequisite
This documentation assumes the following:
-
You have successfully installed the HashiCorp Vault and have a running Vault server
-
You are familiar with most, if not all, of the HashiCorp Vault technology and terminology. If not please read through their documentation before you attempt to use HashiCorp Secrets Config Source
-
Your HashiCorp Vault is unsealed
| Hashicorp config source only supports the Vault KV Secrets Engine. |
Configuration in Payara Server
You can configure HashiCorp Secrets Config Source either via the admin console or the asadmin utility. You’ll need a client token, the KV Secrets Engine API version, Vault’s address represented as URL and port, the path where the KV Secrets Engine is enabled and the path where your secrets are stored.
| By default, the KV Secrets Engine is enabled at the /secret path in Vault. |
From the Admin Console
To configure the HASHICORP_VAULT_TOKEN password alias from the admin console, refer to the Password Aliases Admin Console configuration guide.
To configure the config source from the admin console, go to Configs → your-config → MicroProfile → Config → HashiCorp Secrets.
From here you can select the KV Secrets Engine API version you want to use, configure the vault address, the path where the KV Secrets Engine is enabled and the path where your secrets are stored. You can also decide whether to apply these changes dynamically or on the next server restart. If the config source is enabled or disabled dynamically it will take effect across the server immediately.
From the Command Line
To configure the HASHICORP_VAULT_TOKEN password alias from the admin console, refer to the Password Aliases Admin Console configuration guide.
To configure the HashiCorp Secrets Config Source from the command line, use the set-hashicorp-config-source-configuration asadmin command, specifying the required parameters like this:
asadmin> set-hashicorp-config-source-configuration --enabled true --dynamic true --api-version 2 --vault-address https://127.0.0.1:8200 --secrets-engine-path secret --secrets-path my-secretYou can use the --enabled and --dynamic options to enable or disable the HashiCorp Secrets Config Source on demand.
Also, you can retrieve the current configuration for the HashiCorp Secrets Config Source using the get-hashicorp-config-source-configuration asadmin command like this:
asadmin> get-hashicorp-config-source-configuration
Enabled API Version Secrets Engine Path Secrets Path Vault Address
true 2 secret my-secret https://127.0.0.1:8200Usage
Provided that all of the above sections are configured correctly, the secrets can be injected into any applicable MicroProfile Config injection point as with any other Config Source. The secrets can also be fetched, created and deleted using the asadmin utility.
To fetch a secret form a HashiCorp Vault:
asadmin> get-config-property --source cloud --sourcename hashicorp --propertyname mysecretTo create or change a secret from a HashiCorp Vault:
asadmin> set-config-property --source cloud --sourcename hashicorp --propertyname mysecret --propertyValue secretvalueTo delete a secret from a HashiCorp Vault:
asadmin> delete-config-property --source cloud --sourcename hashicorp --propertyname mysecret