HashiCorp Vault Secrets Management

There are many strategies for securely providing secrets to a Docker-based service. Some cloud providers or container orchestration services have built-in mechanisms to securely set environment variables with values fetched at runtime. However, in certain scenarios, such as on-premises deployments, these managed options may not be readily available.

If your organization uses HashiCorp Vault to manage secrets in the KV store version 2, you can fetch those secrets dynamically at runtime using Sombra.

Our recommended approach for connecting to Vault is using a sidecar container with the vault-agent. This method allows the Sombra image to focus on core functionality while a separate container, created by HashiCorp, manages authentication to your Vault cluster.

To implement this approach, set the following environment variables:

Env Var NameDescriptionTypeExample
ENABLE_VAULT_FETCHERSet to true to enable Vault integrationbooleantrue
VAULT_AGENT_URIThe URI of the Vault agent (typically a local address when using a sidecar container)stringhttp://127.0.0.1:8100

The following environment variables can be configured to fetch secrets from Vault:

Secret Env Var NameVault Path Env VarVault Version Env VarVault Key Name Env VarDescription
SOMBRA_JWT_ECDSA_KEYVAULT_PATH_SOMBRA_JWT_ECDSA_KEYVAULT_VERSION_SOMBRA_JWT_ECDSA_KEYVAULT_KEY_SOMBRA_JWT_ECDSA_KEYThe primary encryption key used by Sombra when using the built-in KMS
SOMBRA_TLS_KEY_PASSPHRASEVAULT_PATH_SOMBRA_TLS_KEY_PASSPHRASEVAULT_VERSION_SOMBRA_TLS_KEY_PASSPHRASEVAULT_KEY_SOMBRA_TLS_KEY_PASSPHRASEAn optional password for the TLS certificate
SOMBRA_TLS_CERTVAULT_PATH_SOMBRA_TLS_CERTVAULT_VERSION_SOMBRA_TLS_CERTVAULT_KEY_SOMBRA_TLS_CERTThe Sombra TLS certificate as a base64-encoded string
SOMBRA_TLS_KEYVAULT_PATH_SOMBRA_TLS_KEYVAULT_VERSION_SOMBRA_TLS_KEYVAULT_KEY_SOMBRA_TLS_KEYThe Sombra TLS key as a base64-encoded string
TRUSTED_CLIENT_CA_CERT_ENCODEDVAULT_PATH_TRUSTED_CLIENT_CA_CERT_ENCODEDVAULT_VERSION_TRUSTED_CLIENT_CA_CERT_ENCODEDVAULT_KEY_TRUSTED_CLIENT_CA_CERT_ENCODEDThe public CA certificate from a client connecting to the internal Sombra service over mutual TLS. When set, Sombra will enforce that all incoming requests to non-health routes include a client certificate