Maverics supports third-party products that securely store and manage secrets, credentials, and keys. In this section, we will walk through how to use HashiCorp Vault as your secrets provider.
Deploy HashiCorp Vault
To get started, you will first need to download and install HashiCorp Vault.
After setting up a HashiCorp Vault instance, populate the secrets, and configure authentication for Maverics.
The Maverics Orchestrator currently supports loading secrets from AppRoles, TLS certificate or Tokens.
AppRoles or TLS certificates are recommended.
Loading secrets from HashiCorp Vault using AppRole auth
To enable AppRole auth, specify the role_id and secret_id attributes which are used to fetch a Vault access token. The secret_id is the password for the approle. However, secret_id is not required if secret binding is disabled in your AppRole configuration.
To load secrets from HashiCorp Vault using HTTPS, set the environment variable MAVERICS_SECRET_PROVIDER in the file /etc/maverics/maverics.env, using the following pattern:
MAVERICS_SECRET_PROVIDER='hashivault://<URL OF INSTANCE>/secret/data/maverics?role_id=$ROLE_ID&secret_id=$SECRET_ID'Maverics will load the necessary secrets from the vault and make them accessible to the runtime.
Loading secrets from HashiCorp Vault using TLS certificate auth
To enable TLS certificate auth on a Linux or Unix environment, specify the ca_cert, client_cert and client_key attributes which are used to fetch a Vault access token. You may optionally specify cert_name to explicitly identify the cert being used for authentication.
To load secrets from HashiCorp Vault using HTTPS, set the environment variable MAVERICS_SECRET_PROVIDER in the file /etc/maverics/maverics.env, using the following pattern:
MAVERICS_SECRET_PROVIDER='hashivault://<URL OF INSTANCE>/secret/data/maverics?ca_cert=/path/to/certs/vault-ca.pem&client_cert=/path/to/certs/vault-cert.pem&client_key=/path/to/certs/vault-key.pem&cert_name=web'Maverics will load the necessary secrets from the vault and make them accessible to the runtime.
Loading certificates from the Windows Store
If you wish to load a certificate from the Windows Store, you can use a thumbprint or subject of a desired auth certificate or root CA. For an authentication cert, use win_cert_thumbprint or win_cert_subject parameters. For root CA, use win_root_ca_thumbprint or win_root_ca_subject parameters. If you are using root CA thumbprint and do not provide the subject or file, the default system certificates will be loaded.
Example with thumbprint:
MAVERICS_SECRET_PROVIDER="hashivault://<URL OF INSTANCE>/secret/data/maverics?win_cert_thumbprint=1234567890ABCDEF1234567890ABCDEF12345678&win_root_ca_thumbprint=1234567890ABCDEF1234567890ABCDEF12345678"With subject:
MAVERICS_SECRET_PROVIDER="hashivault://<URL OF INSTANCE>/secret/data/maverics?win_cert_subject=cert.example.com&win_root_ca_subject=ca.example.com"Loading secrets from HashiCorp Vault using Token auth
To enable token auth, specify the token attribute to specify the auth token used to communicate with Vault.
To load secrets from HashiCorp Vault using HTTPS, set the environment variable MAVERICS_SECRET_PROVIDER in the file /etc/maverics/maverics.env, using the following pattern:
MAVERICS_SECRET_PROVIDER='hashivault://<URL OF INSTANCE>/secret/data/maverics?token=$ACCESS_TOKEN'Maverics will load the necessary secrets from the vault and make them accessible to the runtime.
Loading secrets from a specific namespace in HashiCorp Vault
For secrets stored in namespaces, specify the namespace attribute as a query parameter of the HashiCorp Vault address. Note that at the time of this writing, namespace is only supported for the Vault Enterprise edition.
MAVERICS_SECRET_PROVIDER='hashivault://<URL OF INSTANCE>/secret/data/maverics?role_id=$ROLE_ID&secret_id=$SECRET_ID&namespace=admin/my-namespace'