Using multiple instances of Vault KMS in OCS-CI
Vault is one of the Key Management Systems, currently supported by ODF for encryption. QE maintains two instances of Vault: the community version of Vault and the enterprise version of Vault hosted on the Hashicorp Cloud Platform. The configuration and authentication details for these instances are defined in data/auth.yaml
file under vault
and vault_hcp
sections respectively.
The community version of vault is free to use but does not have the enterprise features, like namespaces available. The HCP Vault instance provides access to enterprise features and is billed based on usage.
Each vault instance has one or more of these variables defined:
VAULT_ADDR
: Hostname of the vault instancePORT
: The port used by Vault. Usually defaults to 8200VAULT_CACERT_BASE64
: Base64 encoded CA certificateVAULT_CLIENT_CERT_BASE64
: Base64 encoded client certificateVAULT_CLIENT_KEY_BASE64
: Base64 encoded client keyVAULT_TLS_SERVER_NAME
: TLS server name for the vault instance, if applicableVAULT_ROOT_TOKEN
: Vault root token or admin tokenUNSEAL_KEY{1..5}
: Unseal keys for vault
Example:
vault:
VAULT_ADDR:
PORT:
VAULT_CACERT_BASE64:
VAULT_CLIENT_CERT_BASE64:
VAULT_CLIENT_KEY_BASE64:
VAULT_TLS_SERVER_NAME: ''
VAULT_ROOT_TOKEN:
UNSEAL_KEY1:
UNSEAL_KEY2:
UNSEAL_KEY3:
UNSEAL_KEY4:
UNSEAL_KEY5:
vault_hcp:
VAULT_ADDR:
PORT:
VAULT_CACERT_BASE64:
VAULT_TLS_SERVER_NAME: ''
VAULT_ROOT_TOKEN:
VAULT_HCP_NAMESPACE: