HashiCorp Vault Secret Fetching

There are many strategies for placing secrets onto a Docker image service. Some cloud providers or container orchestration services have their own strategies built in to securely set environment variables with values fetched at runtime. However, there may be certain cases, such as in on-premises deployments, where such managed options aren't always readily available.

If your organization uses HashiCorp Vault to manage secrets in the KV store version 2, you will be able to fetch those secrets dynamically at runtime using Sombra.

Our recommended way of connecting to Vault is by using a sidecar container of the vault-agent. This approach lets the Sombra image focus on Sombra things while having a separate container, created by HashiCorp, that manages authentication to your Vault cluster.

To use this approach, you'll need to set the following env vars:

Env Var NameDescriptionTypeExample
ENABLE_VAULT_FETCHERShould be true to use vaultbooleantrue
VAULT_AGENT_URIThe URI of the vault agent. Usually this will be a local address if using a sidecar containerstringhttp://127.0.0.1:8100

The primary environment that can fetch secrets from vault are:

Env Var NameEnv var of vault pathEnv var for secret versionEnv var for name of key within the pathDescription
SOMBRA_JWT_ECDSA_KEYVAULT_PATH_SOMBRA_JWT_ECDSA_KEYVAULT_VERSION_SOMBRA_JWT_ECDSA_KEYVAULT_KEY_SOMBRA_JWT_ECDSA_KEYThe primary encryption key of Sombra when using the built-in KMS
SOMBRA_TLS_KEY_PASSPHRASEVAULT_PATH_SOMBRA_TLS_KEY_PASSPHRASEVAULT_VERSION_SOMBRA_TLS_KEY_PASSPHRASEVAULT_KEY_SOMBRA_TLS_KEY_PASSPHRASEAn optional password for the TLS Certificate
SOMBRA_TLS_CERTVAULT_PATH_SOMBRA_TLS_CERTVAULT_VERSION_SOMBRA_TLS_CERTVAULT_KEY_SOMBRA_TLS_CERTThe Sombra TLS Certificate, as a base64 encoded string
SOMBRA_TLS_KEYVAULT_PATH_SOMBRA_TLS_KEYVAULT_VERSION_SOMBRA_TLS_KEYVAULT_KEY_SOMBRA_TLS_KEYThe Sombra TLS key, as a base64 encoded string
TRUSTED_CLIENT_CA_CERT_ENCODEDVAULT_PATH_TRUSTED_CLIENT_CA_CERT_ENCODEDVAULT_VERSION_TRUSTED_CLIENT_CA_CERT_ENCODEDVAULT_KEY_TRUSTED_CLIENT_CA_CERT_ENCODEDThe public CA cert from a client who is connecting to the internal sombra over mutual TLS. If set, Sombra will enforce that all incoming requests to non-health routes have a client cert