Step 3 - Add secrets to Vault
    • PDF

    Step 3 - Add secrets to Vault

    • PDF

    Article summary

    3.1 - Create Dynamic Group and IAM Policy

    The Dynamic Group and IAM Policy together will grant permissions to the OKE cluster nodes to sync the vault secret to kubernetes.

    Replace <dynamic-group-name> and <iam-policy-name> with an appropriate value for each.

    oci iam dynamic-group create --name "<dynamic-group-name>" \
    --description "Dynamic Group for OKE cluster nodes" \
    --matching-rule "instance.compartment.id='${compartment_ocid}'"
    
    oci iam policy create -c ${compartment_ocid} --name '<iam-policy-name>' \
    --description "Oracle vault secrets access for OKE" \
    --statements "[\"Allow dynamic-group <dynamic-group-name> to read secret-family in compartment <oracle-compartment-name> where target.vault.id='${vault_ocid}'\"]"

    3.2 - Add the MongoDB passwords to Vault secret

    Note: if you do not wish to manage policies or use the Asynchronous API, you can skip this step.

    To enable Glasswall Halo's Policy API to create and manage the policies in MongoDB, and Async API to create and manage the requests, MongoDB needs to be deployed using Helm charts. 

    Two users will be created by the MongoDB Helm chart and the corresponding user's password needs to be set in the Vault secret.

    Sensitive data, such as passwords, should be stored as key-value pairs in JSON format in the Vault secret. 

    When passwords from multiple steps needs to be setup, create a single json with all passwords included Or update the existing json with new passwords.

    {
        "mongodb-cdrp-password": "",
        "mongodb-admin-password": ""
    }

    3.3 - Menlo API Key

    To enable API key based authentication in Menlo API, add a secret menlo-api-key with an API key you would like to use.

    {
        "menlo-api-key": "<strong-api-key>"
    }

    3.4 - Add ReversingLabs credentials

    To integrate Glasswall Halo with Reversing Labs, add the credentials of the Reversing Labs to the KeyVault.

    {
        "reversinglabs_username": "",
        "reversinglabs_password": ""
    }

    3.5 - [Optional] Add ICAP MTLS certificates

    ICAP servers can be configured for mutual client authentication using the MTLS certificates. The certificates will be mounted to the ICAP server pods using the Kubernetes secrets. Add the server certificates and certificate authority to the Oracle Vault so that they can be synced to Kubernetes secrets.

    { 
        "tls-server-cert": "<content of mtls-server-cert.pem>",
        "tls-server-key": "<content of mtls-server-key.pem>",
        "tls-cafile": "<content of mtls-ca-cert.pem>"
    }

     


    Was this article helpful?