Consuming Secrets in Habitat


#1

I’ve been doing some work with HashiCorp vault and habitat and I’m wondering if there’s a nice way to be able to consume secrets with habitat at run time potentially as cfg or similar?

My thoughts are specifically around database passwords but scope doesn’t need to be so narrow!

Initially I would think there would need to be logic to be able to actually talk with vault to store/retrieve these passwords, where the underlying system would expose environment variables to speak to the secret store.

thoughts?


#2

It looks like you’ve already found core/vault. If that provides the mechanism for accessing the secrets, I think you can set it as a dependency or build dependency and then use it in a plan callback or run hook as appropriate to write out a configuration file which your habitat package can consume.


#3

I’m not super familiar with the way vault works. I think you have a few angles:

  • use an init/reconfigure hook to reach out to vault and grab the secrets you need
  • have an external process drop the secrets off on the filesystem in /hab/svc/WHATEVER, which then can be loaded in an init/reconfigure hook.

What I don’t think makes sense is adding habitat<->vault integration outside of the hooks system. But we might add an extra hook, etc. if there is a lifecycle step thats missing.


#4

It definitely makes sense not to have vault integration outside of the hooks system!

I’m thinking of another option of using something similar to the sidecar pattern where a separate habitat package facilitates the interaction with the secrets store and how those secrets get injected into the configuration.


#5

This is a great question @skylerto. I do a lot of work with Vault and Consul in Hab. From a quick read of your post, you’re just looking to query Vault for a secret during the configuration of another Hab package, right? This shouldn’t be a problem at all, as Vault is all API driven and querying it would be fine. If you went the route of a token, you would have to do some designing on how your app would get access into vault; the infamous secret “chicken or the egg” situation.

What exactly is your use case? Are you hoping to spin up Vault within Hab or have a Hab project consume a secret directly from your existing Vault?

I’d love to be able to help where possible. Thanks!


#6

I’m interested in the same thing. It would be super slick if we could define external secret stores and have a way to reference them in the handlebar templates, ie: {{hcv.secret_application_token}}. We’ll plan to use the reconfigure hook for now.


#7

It was to get credentials into an applications configuration. What I ended up doing was using a hab package as a “shim”.

One package ran the app, another ran vault, and a third used vault apis to get the values and stub a user.toml to config apply the first package with.


#8

Would be really cool (I haven’t experimented much with bindings yet) but it would be cool if you could have dedicated hooks or something else, which export information about the running package and the binding was how you accessed/queried that in others.