Skip to main content
Version: 2.15.0

Step 3 - Add secrets to Vault

3.1 Create Dynamic Group and IAM Policy

The Dynamic Group and IAM Policy together grant the OKE cluster nodes permission to sync Vault secrets to Kubernetes.

Replace <dynamic-group-name> and <iam-policy-name> with appropriate values for your environment.

oci iam dynamic-group create --name "<dynamic-group-name>" \
--description "Dynamic Group for OKE cluster nodes" \
--matching-rule "instance.compartment.id='${compartment_ocid}'"

oci iam policy create -c ${compartment_ocid} --name '<iam-policy-name>' \
--description "Oracle vault secrets access for OKE" \
--statements "[\"Allow dynamic-group <dynamic-group-name> to read secret-family in compartment <oracle-compartment-name> where target.vault.id='${vault_ocid}'\"]"

3.2 Add MongoDB passwords to the Vault secret

Note: if you do not plan to manage policies or use the Asynchronous API, you can skip this step.

To allow the Glasswall Halo Policy Management API to create and manage policies in MongoDB, and the Asynchronous API to process requests, MongoDB must be deployed using Helm charts.

The MongoDB Helm chart creates two users. The passwords for these users must be stored in a Vault secret.

Sensitive data, such as passwords, must be stored as key value pairs in JSON format within the Vault secret.

If passwords from multiple steps are required, create a single JSON object containing all passwords or update the existing JSON object with the additional values.

{
    "mongodb-cdrp-password": "",
    "mongodb-admin-password": ""
}

3.3 [Optional] Add ReversingLabs credentials

To integrate Halo with ReversingLabs, store the ReversingLabs credentials in Key Vault.

{
    "reversinglabs_username": "",
    "reversinglabs_password": ""
}

3.4 [Optional] Add ICAP mTLS certificates

ICAP servers can be configured for mutual client authentication using mTLS certificates.

The certificates are mounted to the ICAP server pods as Kubernetes secrets. Add the server certificates and certificate authority certificates to Oracle Vault so they can be synced to Kubernetes secrets.

{ 
    "tls-server-cert": "<content of mtls-server-cert.pem>",
    "tls-server-key": "<content of mtls-server-key.pem>",
    "tls-cafile": "<content of mtls-ca-cert.pem>"
}

Continue

Need help?

Last updated on