HashiCorp Vault

There are two high-level steps to configuring a HashiCorp vault. The first is to set up authentication with the vault and register the vault. The second is to tell DCT how to get the specific engine credentials needed from that registered vault. A single vault can be used for multiple different Delphix Engines.

Vault authentication and registration

First, DCT needs to be able to authenticate with the vault. DCT supports the Token, AppRole, and TLS Certificates authentication methods. This is done by passing a command to the HashiCorp CLI. It is recommended to first ensure that successful authentication is done and one can retrieve the credentials with the HashiCorp CLI directly to ensure the correct commands are passed to DCT.

Adding a vault to DCT is done through API calls to the /v2/management/vaults/hashicorp endpoint. All authentication methods require the location of the vault is provided through the env_variables property in the POST body. For example:

Copy 
"env_variables": {
       "VAULT_ADDR": "https://10.119.132.40:8200"   }

Token

To use the token authentication method, this needs to be included as part of the env_variables field. The full example to register the vault would appear as:

Copy 
curl --location --request POST 'https://<hostname>/dct/v2/management/vaults/hashicorp' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: apk <your API key>' \
--data-raw '{
   "env_variables": {
       "VAULT_TOKEN": "<your token>"       "VAULT_ADDR": "https://10.119.132.40:8200"   }
}'

A response should be received similar to the lines below:

Copy 
{
   "id": 2,
   "env_variables": {
       "VAULT_TOKEN": "<your token>"       "VAULT_ADDR": "https://10.119.132.40:8200"   }
}

Note the id of the vault, this will be needed in the next step to register the engine.

AppRole

To use the AppRole authentication method, this needs to be included as part the login_command_args field, as shown below:

Copy 
"login_command_args":
       [ "write", "auth/approle/login", "role_id=1", "secret_id=123"]

The full example to register the vault would appear as:

Copy 
curl --location --request POST 'https://<hostname>/dct/v2/management/vaults/hashicorp' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: apk <your API key>' \
--data-raw '{
   "env_variables": {
       "VAULT_ADDR": "https://10.119.132.40:8200"   },
   "login_command_args":
       [ "write", "auth/approle/login", "role_id=1", "secret_id=123"]
}'

 A response should be received similar to the lines below:

Copy 
{
   "id": 2,
   "env_variables": {
       "VAULT_TOKEN": "<your token>"       "VAULT_ADDR": "https://10.119.132.40:8200"   }
}

TLS certificates

The configuration of mutual TLS authentication requires an additional step. This feature currently is NOT supported for Kubernetes deployment of DCT. This will be covered in later releases.

Retrieving engine credentials

Once DCT can authenticate with the vault, it needs to know how to fetch the relevant engine credentials. When registering an engine, the user will need to provide the HashiCorp CLI commands through the hashicorp_vault_username_command_args and hashicorp_vault_password_command_args parameters.

The relevant part of the engine registration payload will look like the following:

Copy 
'{
    "hashicorp_vault_id": 1
    "hashicorp_vault_username_command_args": ["kv", "get", "-field=username",  "kv-v2/delphix-engine-secrets/engineUser"]
,
    "hashicorp_vault_password_command_args": ["kv", "get", "-field=password",  "kv-v2/delphix-engine-secrets/engineUser"]
}'

The hashicorp_vault_id will be the ID that was returned as part of the previous step. Note that the exact paths to fetch the username and password will vary depending on the exact configuration of the vault.