External Vault Requirements

How to configure an external HashiCorp Vault for CDP Private Cloud.

Vault Token Policy

CDP Private Cloud can be installed using an internal or external Vault. If you are installing CDP Private Cloud with an external Vault, a Vault token with the following permissions is required.

  • Create/Update/List/Read a secret engine of type kv-2 at the applicable path.
  • Create/Update/List/Read auth of type kubernetes at the applicable path.
  • Create/Update/List/Read policies.
  • Access to List and Read the Vault token details.

Example Vault policy:

# Manage auth methods broadly across Vault
path "auth/*"
{
  capabilities = ["create", "read", "update", "list"]
}
# Create, update auth methods
path "sys/auth/*"
{
  capabilities = ["create", "update", "sudo"]
}
 
# List auth methods
path "sys/auth"
{
  capabilities = ["read"]
}
 
# List existing policies
path "sys/policies/acl"
{
  capabilities = ["list"]
}
 
# Create and manage ACL policies via API & UI
path "sys/policies/acl/*"
{
  capabilities = ["create", "read", "update", "list"]
}
 
 
# Manage secrets engines
path "sys/mounts/*"
{
  capabilities = ["create", "read", "update", "list"]
}
 
# List existing secrets engines.
path "sys/mounts"
{
  capabilities = ["read"]
}

For more information, see HashiCorp Vault Policy Requirements.

Vault Token Use

The Vault token should be created using the preceding policy. It is recommended that the Vault administrator delete this token after the installation is complete.

External Vault Installation Parameters

  • Vault Address – The external Vault FQDN (Fully Qualified Domain Name) with port.
  • Token – The Vault token described above
  • CA Certificate – A valid certificate for the Vault server in PEM format.

Vault Secrets Engine, Auth, and Policies

During installation CDP enables a kv-v2 secrets engine and kubernetes auth at unique paths in the following format:

cloudera-<controlplane namespace>-<server-url>

It is recommended that you do not have any kv-v2 secrets and kubernetes auth enabled at the same path in your Vault server.

CDP also creates Vault policies that provide access to control plane services to write their secret data. These two policies have the following format:

<namespace>-<server-url> and admin-<namespace>-<server-url>