How to provide Redis and DB credentials to SSE from Vault
Enabling SaltStack Enterprise to use Vault for its Redis and database credentials requires the following steps:
- Configure SaltStack Enterprise to use environment variables for its credentials.
- Install and configure the Vaultenv tool.
- Insert Redis and database credentials into Vault.
- Create a vaultenv raas configuration file.
- Launch raas via the Vaultenv tool.
This document assumes you have HashiCorp’s Vault installed and running somewhere in your environment and are familiar with its operation. See www.vaultproject.io for more information.
Configure SaltStack Enterprise to use environment variables for its credentials
The Vaultenv tool launches programs with environment variables set to HashiCorp Vault secrets. The first step to enable this for SaltStack Enterprise is to edit the Raas configuration file so that it reads its SQL and Redis credentials from environment variables.
Use the following settings in /etc/raas/raas
for sql
and redis
.
# /etc/raas/raas
...
sql:
url: ENV
redis:
url: ENV
...
This causes SaltStack Enterprise to look for these values in the environment variables DATABASE_URL
and REDIS_URL
respectively.
Note: For SQL, all of the credential components are passed in a single string in the form: postgres://user:password@db_host:port/raas_db_name
.
Therefore, the following sql
settings will be redundant and should be deleted from /etc/raas/raas
.
sql:
username: user # delete this line
password: password # delete this line
host: db_host # delete this line
port: 5432 # delete this line
Install and configure the vaultenv tool
Install Vaultenv
Vaultenv binaries are available from github. To install the latest release at this writing, 0.13.1, run the following.
$ wget https://github.com/channable/vaultenv/releases/download/v0.13.1/vaultenv-0.13.1-linux-musl -O /usr/local/bin/vaultenv
$ chmod a+x /usr/local/bin/vaultenv
Configure Vaultenv
Vaultenv is configured via the /etc/vaultenv.conf
file. The file is optional as all of Vaultenv’s settings can be specified as command line arguments. Many settings are optional and have workable default values. Some however, such as VAULT_TOKEN
, need to be supplied; either on the command line or in the configuration file. See vaultenv --help
for a full list.
A sample vaultenv.conf
file might be as follows.
# /etc/vaultenv.conf
# Also: comments are allowed if they start with ‘#‘.
VAULT_TOKEN="foo"
VAULT_ADDR="https://vault:8200"
Next, because /etc/vaultenv.conf
contains a token, it should be locked down, but must remain readable by the raas
user.
One way of doing so is updating its group to raas
, and changing its access controls so that it is readable only by root
and the raas
group as follows.
$ chown root:raas /etc/vaultenv.conf
$ chmod 640 /etc/vaultenv.conf
Insert Redis and database credentials into Vault
Write the Redis and SQL credentials into Vault:
$ vault kv put secret/sse redis_url="redis://:secret@example.com:6379"
$ vault kv patch secret/sse database_url="postgres://user:secret@localhost:5432/raas_db_name"
For raas_db_name
above the database name is raas_CUSTOMERID
, where CUSTOMERID
is the setting of customer_id
in the raas configuration file, hyphens removed. The default customer id is 43cab1f4-de60-4ab1-85b5-1d883c5c5d09
, making the default raas database name raas_43cab1f4de604ab185b51d883c5c5d09
.
Create a Vaultenv raas configuration file
In the /var/lib/raas/
directory, create a file named raas.secrets
. This file tells Vaultenv which secrets to retrieve from Vault and which environment variables to put them in. In the sample file below, redis_url
and database_url
will be retrieved from the Vault where the secrets were stored earlier, using prefix secret
and path sse
, storing them in the REDIS_URL
and DATABASE_URL
environment variables.
# /var/lib/raas/raas.secrets
VERSION 2
MOUNT secret
REDIS_URL=sse#redis_url
DATABASE_URL=sse#database_url
Launch SaltStack Enterprise via the Vaultenv tool
Configure the raas service to be started by Vaultenv with the proper environment variables set from Vault with the following steps:
Stop the raas service
$ systemctl stop raas
Create a service override file
$ systemctl edit raas
Add the following content to have raas start via Vaultenv:
[Service]
ExecStart=
ExecStart=/usr/local/bin/vaultenv --secrets-file /var/lib/raas/raas.secrets /usr/bin/raas
Restart raas
$ systemctl daemon-reload
$ systemctl start raas