Using secrets from Vault

The infrastructure uses Vault to store credentials. It is mainly used by the infrastructure, but clients might also need to interface with it to for example get secrets for service users (see Oprettelse og brug af Servicebruger ).

Using a secret from Vault

Setting up Vault URL

To use secrets from Vault, the Helm chart needs to know where to access the Vault server. We do that by providing the URL like this:

vault:
  address: https://vault.admin.${ENV_BASEURL}:8200

The ENV_BASEURL is picked up from a .env file in the repo.

This snippet should be added to an app’s values file or in the _common.yaml file ( asssuming it is included in all apps).

Injecting the secret into an environment variable

This section assumes that the Vault URL has been set up.

Assuming the needed secret is available at the app’s Vault path keycloak/client-secret under the entry password and that we want that secret to be available in our app in the CLIENT_SECRET environment variable, use this snippet in the app’s values file:

If using ehealth-service chart version < 10:

environment_secrets:
  keycloak/client-secret:
    CLIENT_SECRET: password

If using ehealth-service chart version >= 10:

vault:
  environment:
    keycloak/client-secret:
      CLIENT_SECRET: password

Note: the password in these snippets is not supposed to be replaced by an actual password or secret. It refers to the name of the entry in which the secret resides in Vault.