/
Using secrets from Vault

Using secrets from Vault

The infrastructure uses Vault to store credentials. It is mainly used by the infrastructure, but clients might also need to interface with it to for example get secrets for service users (see https://ehealth-dk.atlassian.net/wiki/spaces/EDTW/pages/2748317698 ).

The PROD environment needs a different configuration than the test environments. Check the last section to see what is needed to use Vault in PROD.

Using a secret from Vault

Setting up Vault URL

To use secrets from Vault, the Helm chart needs to know where to access the Vault server. We do that by providing the URL like this:

vault: address: https://vault.admin.${ENV_BASEURL}:8200

The ENV_BASEURL is picked up from a .env file in the repo.

This snippet should be added to an app’s values file or in the _common.yaml file ( asssuming it is included in all apps).

Injecting the secret into an environment variable

This section assumes that the Vault URL has been set up.

Assuming the needed secret is available at the app’s Vault path keycloak/client-secret under the entry password and that we want that secret to be available in our app in the CLIENT_SECRET environment variable, use this snippet in the app’s values file:

  • If using ehealth-service chart version < 10:

environment_secrets: keycloak/client-secret: CLIENT_SECRET: password

  • If using ehealth-service chart version >= 10:

vault: environment: keycloak/client-secret: CLIENT_SECRET: password

Note: the password in these snippets is not supposed to be replaced by an actual password or secret. It refers to the name of the entry in which the secret resides in Vault.

Using Vault in PROD

In prod we use a different path to login to Vault. Add this to your .env file in PROD:

# Vault authentification VAULT_KUBERNETES_MOUNT="systematic/k8s/prod"

Next, in the values/ directory, create a _common_vault.yaml file with the following contents:

vault: address: https://vault.admin.${ENV_BASEURL}:8200 kubernetesMountPath: ${VAULT_KUBERNETES_MOUNT}

Then include this file in all the apps that need to use Vault. For example if my app called example-app needs access to Vault, the app.yaml should have an entry like this:

apps: example-app: namespace: "example-namespace" enabled: true chart: "${OCI_REPO}/common/ehealth-service" version: "${EHEALTH_SERVICE_CHART_VERSION}" valuesFiles: - "values/_common.yaml" - "values/_common_vault.yaml" # <----- this is the important part - "values/example-app.yaml" setString: imageTag: "0.0.1"