Console terminology: In the Maverics Console, Orchestrator instances and
configuration delivery are managed through Deployments. When working directly
with YAML, configuration is managed as files delivered via the
-config flag or
MAVERICS_CONFIG environment variable.Overview
When configured with the HashiCorp Vault provider, the Orchestrator authenticates to Vault at startup and retrieves secrets on demand as they are referenced in configuration. The provider supports multiple authentication methods including token-based, AppRole (for machine-to-machine), and TLS certificate authentication. Secrets are read from Vault’s KV secrets engine using configurable mount paths and secret paths.Use Cases
- Centralized secrets with audit trail — store all Orchestrator secrets in Vault with full audit logging of every access event
- Dynamic secrets for database credentials — use Vault’s dynamic secrets engines to generate short-lived database credentials
- PKI certificate management — issue and rotate TLS certificates through Vault’s PKI secrets engine
Configuration
Secret providers are not configured in YAML. They are set via theMAVERICS_SECRET_PROVIDER environment variable or the -secretProvider CLI flag.
- Console UI
- Configuration
Console UI documentation is coming soon. This section will walk you
through configuring this component using the Maverics Console’s visual
interface, including step-by-step screenshots and field descriptions.
Configuration via Environment Variable
Configuration via CLI Flag
Use
hashivault:// for HTTP connections or hashivaults:// for HTTPS (TLS)
connections to the Vault server.Referencing Secrets in YAML
Once the secret provider is configured, reference secrets in your Orchestrator YAML configuration using angle bracket syntax:maverics) maps to the secret path configured in the URL, and the key (client_secret) maps to the key within that secret.
Configuration Reference
URL Structure
URL Parameters
| Parameter | Required | Description |
|---|---|---|
| URL host + port | Yes | Vault server address (e.g., vault.example.com:8200) |
| URL path | Yes | Secret engine mount path and secret path (e.g., /secret/data/maverics) |
token | Conditional | Vault token for token authentication |
role_id | Conditional | AppRole role ID (requires secret_id) |
secret_id | Conditional | AppRole secret ID (requires role_id) |
ca_cert | No | Path to CA certificate file for Vault TLS verification |
client_cert | No | Path to client certificate for mutual TLS |
client_key | No | Path to client key for mutual TLS |
cert_name | No | Certificate name for TLS cert authentication |
win_cert_thumbprint | No | Windows certificate store thumbprint |
win_cert_subject | No | Windows certificate store subject |
win_root_ca_thumbprint | No | Windows root CA thumbprint |
win_root_ca_subject | No | Windows root CA subject |
Provide one of the following authentication methods:
token, role_id +
secret_id, or client_cert + client_key + cert_name. AppRole is
recommended for production machine-to-machine authentication.Troubleshooting
“permission denied” errors from Vault Verify that the token or AppRole credentials have a Vault policy grantingread access to the configured secret path. Check the Vault audit log for the denied request.
“connection refused” when starting the Orchestrator
Confirm the Vault server address and port are correct. If using hashivaults://, ensure the Vault server has TLS enabled and the CA certificate is trusted (use ca_cert if needed).
Secrets not resolving in YAML configuration
Ensure the angle bracket syntax matches the key names stored in Vault. The namespace in <namespace.key> must match the path segment in the secret provider URL, and the key must exist in that Vault secret.