Integrate Edge with a HashiCorp Vault

You can integrate your Edge site with your existing HashiCorp Vault to more easily and securely manage your data source information and set up your Edge site connections. In this topic, we review how to set up the integration between your Edge site and your existing vault.

Note There are a few limitations with the HashiCorp Vault integration:
  • Forward proxies are not supported for HashiCorp Vault integrations. You must have a direct connection to your HashiCorp Vault.
  • HashiCorp Vault passwords are formatted as a map structure, in key/value pairs, for the two supported database engines.

Use the steps below based on your vault authentication method for Edge sites installed on bunlded k3s.

You can integrate your Edge site with your HashiCorp Vault using one of the following authentication methods:

Username and password authentication

Prerequisites

On your local server

  • You installed your Edge site.
  • You installed and configured the Edge CLI tool.
  • You have access to the data source that will use the vault credentials.

In your Collibra environment

In your vault platform

  • You have a HashiCorp Vault.
  • You or another user can administer HashiCorp Vault secrets. This includes the ability to do the following in your HashiCorp Vault:
    • Create
    • Edit
    • Delete
    • Rotate credentials
  • You or another user have read credentials to the Authentication method and the HashiCorp Vault secret engine.
  • If you use a --caPath, it must be in the X.509 format (PEM encoded).

Steps

  1. In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the username and password authentication method:
    Copy
    sudo ./edgecli vault create hashicorp user-pass "<name>" \
      --desc "<description>" \
      --user "<username>" \
      --pass "<password>" \
      --caPath "<caPath>" \
      --url "<url>"
      --vaultNamespace "<vaultNamespace>"
    sudo ./edgecli vault create hashicorp user-pass "Hasicorp-Vault-Username-Password-AuthN" \
  --desc "HashiCorp vault with user-pass authentication." \
  --user "my-edge-site" \
  --pass "EdgePass123" \
  --caPath "~/hashicorp/vault/ca.pem" \
  --url "https://hashicorp-vault.edge.collibra/" \
  --vaultNamespace "HashiCorp vault 45"
    Copy
    ./edgecli vault create hashicorp user-pass "<name>" \
      --desc "<description>" \
      --user "<username>" \
      --pass "<password>" \
      --caPath "<caPath>" \
      --url "<url>"
      --vaultNamespace "<vaultNamespace>"
    ./edgecli vault create hashicorp user-pass "Hasicorp-Vault-Username-Password-AuthN" \
  --desc "HashiCorp vault with user-pass authentication." \
  --user "my-edge-site" \
  --pass "EdgePass123" \
  --caPath "~/hashicorp/vault/ca.pem" \
  --url "https://hashicorp-vault.edge.collibra/" \
  --vaultNamespace "HashiCorp vault 45"
    CommandDescription
    <name> (required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
    Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.
    <description> (optional)The description of the vault instance. The maximum character length is 150.
    <user> (required)The username for your vault.
    <pass> (required)The password for your vault.
    <caPath> (optional)The file containing the Certificate Authority.
    If you use --caPath it must be in the PKCS#8 format.
    Note A --caPath file is optionally included for the creation of the authentication endpoint. It will not be required if the HTTP endpoint is used for the Username/Password authentication. The HTTP endpoint is used for the Username/Password authentication.
    <url> (required) The URL of the HashiCorp Vault.
    <vaultNamespace> (optional)A unique namespace in your vault.
  2. Go to your Edge site to confirm the new vault is available in the Vaults tab.

TLS authentication

Prerequisites

On your local server

  • You installed your Edge site.
  • You installed and configured the Edge CLI tool.
  • You have access to the data source that will use the vault credentials.

In your Collibra environment

In your vault platform

  • You have a HashiCorp Vault.
  • You or another user can administer HashiCorp Vault secrets. This includes the ability to do the following in your HashiCorp Vault:
    • Create
    • Edit
    • Delete
    • Rotate credentials
  • You or another user have read credentials to the Authentication method and the HashiCorp Vault secret engine.
  • If you use a --caPath, it must be in the X.509 format (PEM encoded).
  • If you use a --certPath, it must be in the X.509 format (PEM encoded).
  • If you use a --keyPath, it must be in the PKCS#8 format (PEM encoded).

Steps

  1. In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the TLS authentication method:
    Copy
    sudo ./edgecli vault create hashicorp tls "<name>" \
      --authName "<authName>"
      --desc "<description>" \
      --caPath "<caPath>" \
      --certPath "<certPath>" \
      --keyPassword "<keyPassword>" \
      --keyPath "<keyPath>" \
      --url "<url>"
      --vaultNamespace "<vaultNamespace>"
    sudo ./edgecli vault create hashicorp tls "tls-vault-auth" \
  --authName "tls-vault-auth" \"
  --desc "HashiCorp vault with tls authentication." \
  --caPath "~/hashicorp/vault/ca.pem" \
  --certPath "~/hashicorp/vault/edge-site.crt" \
  --keyPassword "filePassword123" \
  --keyPath "~/hashicorp/vault/edge-site.key" \
  --url "https://hashicorp-vault.edge.collibra/"
  --vaultNamespace "HashiCorp vault 45"
    Copy
    ./edgecli vault create hashicorp tls "<name>" \
      --authName "<authName>"
      --desc "<description>" \
      --caPath "<caPath>" \
      --certPath "<certPath>" \
      --keyPassword "<keyPassword>" \
      --keyPath "<keyPath>" \
      --url "<url>"
      --vaultNamespace "<vaultNamespace>"
    ./edgecli vault create hashicorp tls "tls-vault-auth" \
  --authName "tls-vault-auth" \"
  --desc "HashiCorp vault with tls authentication." \
  --caPath "~/hashicorp/vault/ca.pem" \
  --certPath "~/hashicorp/vault/edge-site.crt" \
  --keyPassword "filePassword123" \
  --keyPath "~/hashicorp/vault/edge-site.key" \
  --url "https://hashicorp-vault.edge.collibra/"
  --vaultNamespace "HashiCorp vault 45"
    CommandDescription
    <name> (required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
    Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.
    <authName> (required)The name of the HashiCorp Vault endpoint.
    <description> (optional)The description of the vault instance. The maximum character length is 150.
    <caPath> (optional)The file containing the Certificate Authority.
    If you use --caPath it must be in the PKCS#8 format.
    Note A --caPath file is optionally included for the creation of the authentication endpoint. It will not be required if the HTTPS certificate used for the SSL/TLS endpoint termination has a certificate chain supplied and the root certificate is in a Java trust store.
    <certPath> (required)The file containing the Client Certificate.
    <keyPassword> (optional)The password for the Client Private Key file.
    <keyPath> (required)The file containing the Client Private Key.
    <url> (required) The URL of the HashiCorp Vault.
    <vaultNamespace> (optional)A unique namespace in your vault.
  2. Go to your Edge site to confirm the new vault is available in the Vaults tab.

What's next

  • You can now set up an Edge connection with your HashiCorp Vault .
  • You can retrieve and review the configuration details of your vault integrations.
  • You can edit your vault integration configuration.