SaltStack Support

How to provide Redis and DB credentials to SSE from Vault

Enabling SaltStack Enterprise to use Vault for its Redis and database credentials requires the following steps:

  1. Configure SaltStack Enterprise to use environment variables for its credentials.
  2. Install and configure the Vaultenv tool.
  3. Insert Redis and database credentials into Vault.
  4. Create a vaultenv raas configuration file.
  5. Launch raas via the Vaultenv tool.

This document assumes you have HashiCorp’s Vault installed and running somewhere in your environment and are familiar with its operation. See www.vaultproject.io for more information.

Configure SaltStack Enterprise to use environment variables for its credentials

The Vaultenv tool launches programs with environment variables set to HashiCorp Vault secrets. The first step to enable this for SaltStack Enterprise is to edit the Raas configuration file so that it reads its SQL and Redis credentials from environment variables.

Use the following settings in /etc/raas/raas for sql and redis.

# /etc/raas/raas

...

sql:
  url: ENV

redis:
  url: ENV

...

This causes SaltStack Enterprise to look for these values in the environment variables DATABASE_URL and REDIS_URL respectively.

Note: For SQL, all of the credential components are passed in a single string in the form: postgres://user:password@db_host:port/raas_db_name.

Therefore, the following sql settings will be redundant and should be deleted from /etc/raas/raas.

sql:
  username: user        # delete this line
  password: password    # delete this line
  host: db_host         # delete this line
  port: 5432            # delete this line

Install and configure the vaultenv tool

Install Vaultenv

Vaultenv binaries are available from github. To install the latest release at this writing, 0.13.1, run the following.

$ wget https://github.com/channable/vaultenv/releases/download/v0.13.1/vaultenv-0.13.1-linux-musl -O /usr/local/bin/vaultenv
$ chmod a+x /usr/local/bin/vaultenv

Configure Vaultenv

Vaultenv is configured via the /etc/vaultenv.conf file. The file is optional as all of Vaultenv’s settings can be specified as command line arguments. Many settings are optional and have workable default values. Some however, such as VAULT_TOKEN, need to be supplied; either on the command line or in the configuration file. See vaultenv --help for a full list.

A sample vaultenv.conf file might be as follows.

# /etc/vaultenv.conf
# Also: comments are allowed if they start with ‘#‘.

VAULT_TOKEN="foo"
VAULT_ADDR="https://vault:8200"

Next, because /etc/vaultenv.conf contains a token, it should be locked down, but must remain readable by the raas user.

One way of doing so is updating its group to raas, and changing its access controls so that it is readable only by root and the raas group as follows.

$ chown root:raas /etc/vaultenv.conf
$ chmod 640 /etc/vaultenv.conf

Insert Redis and database credentials into Vault

Write the Redis and SQL credentials into Vault:

$ vault kv put secret/sse redis_url="redis://:secret@example.com:6379"
$ vault kv patch secret/sse database_url="postgres://user:secret@localhost:5432/raas_db_name"

For raas_db_name above the database name is raas_CUSTOMERID, where CUSTOMERID is the setting of customer_id in the raas configuration file, hyphens removed. The default customer id is 43cab1f4-de60-4ab1-85b5-1d883c5c5d09, making the default raas database name raas_43cab1f4de604ab185b51d883c5c5d09.

Create a Vaultenv raas configuration file

In the /var/lib/raas/ directory, create a file named raas.secrets. This file tells Vaultenv which secrets to retrieve from Vault and which environment variables to put them in. In the sample file below, redis_url and database_url will be retrieved from the Vault where the secrets were stored earlier, using prefix secret and path sse, storing them in the REDIS_URL and DATABASE_URL environment variables.

# /var/lib/raas/raas.secrets

VERSION 2

MOUNT secret
REDIS_URL=sse#redis_url
DATABASE_URL=sse#database_url

Launch SaltStack Enterprise via the Vaultenv tool

Configure the raas service to be started by Vaultenv with the proper environment variables set from Vault with the following steps:

Stop the raas service

$ systemctl stop raas

Create a service override file

$ systemctl edit raas

Add the following content to have raas start via Vaultenv:

[Service]
ExecStart=
ExecStart=/usr/local/bin/vaultenv --secrets-file /var/lib/raas/raas.secrets /usr/bin/raas

Restart raas

$ systemctl daemon-reload
$ systemctl start raas

Related articles