Articles

Security

End-to-End Encryption

HashiCorp Vault Secret Fetching


## Overview

There are many strategies for placing secrets onto a Docker image service. Some cloud providers or container orchestration services have their own strategies built in to securely set environment variables with values fetched at runtime. However, there may be certain cases, such as in on-premises deployments, where such managed options aren't always readily available.

If your organization uses HashiCorp Vault to manage secrets in the [KV store version 2](https://developer.hashicorp.com/vault/docs/secrets/kv), you will be able to fetch those secrets dynamically at runtime using Sombra.

## Connecting Sombra to Vault

Our recommended way of connecting to Vault is by using [a sidecar container of the vault-agent](https://developer.hashicorp.com/vault/tutorials/kubernetes/agent-kubernetes). This approach lets the Sombra image focus on Sombra things while having a separate container, created by HashiCorp, that manages authentication to your Vault cluster.

To use this approach, you'll need to set the following env vars:

| Env Var Name         | Description                                                                                   | Type    | Example                 |
| -------------------- | --------------------------------------------------------------------------------------------- | ------- | ----------------------- |
| ENABLE_VAULT_FETCHER | Should be `true` to use vault                                                                 | boolean | true                    |
| VAULT_AGENT_URI      | The URI of the vault agent. Usually this will be a local address if using a sidecar container | string  | `http://127.0.0.1:8100` |

## Secret configuration

The primary environment that can fetch secrets from vault are:

| Env Var Name                   | Env var of vault path                     | Env var for secret version                   | Env var for name of key within the path  | Description                                                                                                                                                                               |
| ------------------------------ | ----------------------------------------- | -------------------------------------------- | ---------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| SOMBRA_JWT_ECDSA_KEY           | VAULT_PATH_SOMBRA_JWT_ECDSA_KEY           | VAULT_VERSION_SOMBRA_JWT_ECDSA_KEY           | VAULT_KEY_SOMBRA_JWT_ECDSA_KEY           | The primary encryption key of Sombra when using the built-in KMS                                                                                                                          |
| SOMBRA_TLS_KEY_PASSPHRASE      | VAULT_PATH_SOMBRA_TLS_KEY_PASSPHRASE      | VAULT_VERSION_SOMBRA_TLS_KEY_PASSPHRASE      | VAULT_KEY_SOMBRA_TLS_KEY_PASSPHRASE      | An optional password for the TLS Certificate                                                                                                                                              |
| SOMBRA_TLS_CERT                | VAULT_PATH_SOMBRA_TLS_CERT                | VAULT_VERSION_SOMBRA_TLS_CERT                | VAULT_KEY_SOMBRA_TLS_CERT                | The Sombra TLS Certificate, as a base64 encoded string                                                                                                                                    |
| SOMBRA_TLS_KEY                 | VAULT_PATH_SOMBRA_TLS_KEY                 | VAULT_VERSION_SOMBRA_TLS_KEY                 | VAULT_KEY_SOMBRA_TLS_KEY                 | The Sombra TLS key, as a base64 encoded string                                                                                                                                            |
| TRUSTED_CLIENT_CA_CERT_ENCODED | VAULT_PATH_TRUSTED_CLIENT_CA_CERT_ENCODED | VAULT_VERSION_TRUSTED_CLIENT_CA_CERT_ENCODED | VAULT_KEY_TRUSTED_CLIENT_CA_CERT_ENCODED | The public CA cert from a client who is connecting to the internal sombra over mutual TLS. If set, Sombra will enforce that all incoming requests to non-health routes have a client cert |


Env Var Name	Description	Type	Example
ENABLE_VAULT_FETCHER	Should be `true` to use vault	boolean	true
VAULT_AGENT_URI	The URI of the vault agent. Usually this will be a local address if using a sidecar container	string	`http://127.0.0.1:8100`

Env Var Name	Env var of vault path	Env var for secret version	Env var for name of key within the path	Description
SOMBRA_JWT_ECDSA_KEY	VAULT_PATH_SOMBRA_JWT_ECDSA_KEY	VAULT_VERSION_SOMBRA_JWT_ECDSA_KEY	VAULT_KEY_SOMBRA_JWT_ECDSA_KEY	The primary encryption key of Sombra when using the built-in KMS
SOMBRA_TLS_KEY_PASSPHRASE	VAULT_PATH_SOMBRA_TLS_KEY_PASSPHRASE	VAULT_VERSION_SOMBRA_TLS_KEY_PASSPHRASE	VAULT_KEY_SOMBRA_TLS_KEY_PASSPHRASE	An optional password for the TLS Certificate
SOMBRA_TLS_CERT	VAULT_PATH_SOMBRA_TLS_CERT	VAULT_VERSION_SOMBRA_TLS_CERT	VAULT_KEY_SOMBRA_TLS_CERT	The Sombra TLS Certificate, as a base64 encoded string
SOMBRA_TLS_KEY	VAULT_PATH_SOMBRA_TLS_KEY	VAULT_VERSION_SOMBRA_TLS_KEY	VAULT_KEY_SOMBRA_TLS_KEY	The Sombra TLS key, as a base64 encoded string
TRUSTED_CLIENT_CA_CERT_ENCODED	VAULT_PATH_TRUSTED_CLIENT_CA_CERT_ENCODED	VAULT_VERSION_TRUSTED_CLIENT_CA_CERT_ENCODED	VAULT_KEY_TRUSTED_CLIENT_CA_CERT_ENCODED	The public CA cert from a client who is connecting to the internal sombra over mutual TLS. If set, Sombra will enforce that all incoming requests to non-health routes have a client cert