Step 3 - Add secrets to Vault

3.1 - Create Dynamic Group and IAM Policy

The Dynamic Group and IAM Policy together will grant permissions to the OKE cluster nodes to sync the vault secret to kubernetes.

Replace <dynamic-group-name> and <iam-policy-name> with an appropriate value for each.

oci iam dynamic-group create --name "<dynamic-group-name>" \
--description "Dynamic Group for OKE cluster nodes" \
--matching-rule "instance.compartment.id='${compartment_ocid}'"

oci iam policy create -c ${compartment_ocid} --name '<iam-policy-name>' \
--description "Oracle vault secrets access for OKE" \
--statements "[\"Allow dynamic-group <dynamic-group-name> to read secret-family in compartment <oracle-compartment-name> where target.vault.id='${vault_ocid}'\"]"

3.2 - Add the MongoDB passwords to Vault secret

Note: if you do not wish to manage policies or use the Asynchronous API, you can skip this step.

To enable Glasswall Halo's Policy API to create and manage the policies in MongoDB, and Async API to create and manage the requests, MongoDB needs to be deployed using Helm charts. 

Two users will be created by the MongoDB Helm chart and the corresponding user's password needs to be set in the Vault secret.

Sensitive data, such as passwords, should be stored as key-value pairs in JSON format in the Vault secret. 

{
    "mongodb-cdrp-password": "",
    "mongodb-admin-password": ""
}

3.3 - Menlo API Key

To enable API key based authentication in Menlo API, add a secret menlo-api-key with an API key you would like to use.

{
    "menlo-api-key": "<strong-api-key>"
}

Continue  Need help?