Hashicorp Vault Secret Fetching
There are many strategies for placing secrets onto a Docker image service. Some cloud providers or container orchestration services have their own strategies built in to securely set environment variables with values fetched at runtime. However, there may be certain cases, such as in on premise deployments, where such managed options aren't always readily available.
If your organization uses Hashicorp Vault to manage secrets in the KV store version 2, you will be able to fetch those secrets dynamically at runtime using Sombra.
Our recommended way of connecting to Vault is by using a sidecar container of the vault-agent. This approach lets the Sombra image focus on Sombra things while having a separate container, created by Hashicorp, that manages authentication to your Vault cluster.
To use this approach, you'll need to set the following env vars:
| Env Var Name | Description | Type | Example |
|---|---|---|---|
| ENABLE_VAULT_FETCHER | Should be true to use vault | boolean | true |
| VAULT_AGENT_URI | The URI of the vault agent. Usually this will be a local address if using a sidecar container | string | http://127.0.0.1:8100 |
The primary environment that can fetch secrets from vault are:
| Env Var Name | Env var of vault path | Env var for secret version | Env var for name of key within the path | Description |
|---|---|---|---|---|
| SOMBRA_JWT_ECDSA_KEY | VAULT_PATH_SOMBRA_JWT_ECDSA_KEY | VAULT_VERSION_SOMBRA_JWT_ECDSA_KEY | VAULT_KEY_SOMBRA_JWT_ECDSA_KEY | The primary encryption key of Sombra when using the built-in KMS |
| SOMBRA_TLS_KEY_PASSPHRASE | VAULT_PATH_SOMBRA_TLS_KEY_PASSPHRASE | VAULT_VERSION_SOMBRA_TLS_KEY_PASSPHRASE | VAULT_KEY_SOMBRA_TLS_KEY_PASSPHRASE | An optional password for the TLS Certificate |
| SOMBRA_TLS_CERT | VAULT_PATH_SOMBRA_TLS_CERT | VAULT_VERSION_SOMBRA_TLS_CERT | VAULT_KEY_SOMBRA_TLS_CERT | The Sombra TLS Certificate, as a base64 encoded string |
| SOMBRA_TLS_KEY | VAULT_PATH_SOMBRA_TLS_KEY | VAULT_VERSION_SOMBRA_TLS_KEY | VAULT_KEY_SOMBRA_TLS_KEY | The Sombra TLS key, as a base64 encoded string |
| TRUSTED_CLIENT_CA_CERT_ENCODED | VAULT_PATH_TRUSTED_CLIENT_CA_CERT_ENCODED | VAULT_VERSION_TRUSTED_CLIENT_CA_CERT_ENCODED | VAULT_KEY_TRUSTED_CLIENT_CA_CERT_ENCODED | The public CA cert from a client who is connecting to the internal sombra over mutual TLS. If set, Sombra will enforce that all incoming requests to non-health routes have a client cert |