HashiCorp Cloud Platform
Deploy Vault Radar Agent
Beta feature
This feature is currently available as beta. The beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production.
The HCP Vault Radar agent allows you to scan on-premises data sources for secrets that are not accessible by the cloud scanner, and enable correlation between secrets found by Vault Radar that are store in Vault Enterprise.
Prerequisites
Access to HCP with an account that can create admin level service principals
Vault Radar CLI installed
The agent requires the following environment variables to run and connect to HCP:
Create a service principal
Project-level service principals interact with resources within a specific project in an organization. By default, they can only access resources in the same project. However, you can assign roles to service principals projects beyond their original scope.
Create a project level service principal with the admin role assigned.
Generate a key for the service principal.
Export an environment variable for the client ID and client secret.
$ export HCP_CLIENT_ID=actual-client-id HCP_CLIENT_SECRET=actual-client-secret
Create an agent pool in the HCP Portal
An agent pool is a group of agents that share the same
HCP_RADAR_AGENT_POOL_ID, enabling higher throughput by horizontal scaling the
number of agents.
Navigate to the HCP Portal navigate to HCP Vault Radar.
Click Settings.
Click Agent.
Click Add an agent pool and follow the prompts to create a new agent pool.
The final page displays the required configuration information. You can retrieve this information later from the Agent section of the settings page.
From the Connect the agent page, copy the commands to create environment variables for the pool ID and project ID.
Example:
$ export HCP_RADAR_AGENT_POOL_ID=actual-pool-id export HCP_PROJECT_ID=actual-project-id
Configure secret values
For most data sources the agent is going to need credentials to authenticate with the data source itself. When configuring your data source on HCP, you may be prompted to define a credential needed for the integration to work.
Note
The agent is expecting a URI. The only resource supported is an environment variable.
Example:
$ env://ENV_VARIABLE_NAME
If you are configuring a GitHub data source, you are going to need to generate a
GitHub PAT for the Agent. Save the value of that PAT local to the
Agent as an environment variable. If you saved the environment variable as
VAULT_RADAR_GIT_TOKEN then the URI for that variable entered on HCP should be
env://VAULT_RADAR_GIT_TOKEN.
Additional configuration
The agent will respect configurations set by an .hashicorp/vault-radar/ignore.yaml. See:
Connect a data source
You can set up a data source and manage it from the Vault Radar module in the HCP Portal.
Click Settings.
Click Data Sources.
Click Add data source.
Select agent scan.
Select the type of data source you want to set up. Provide the information prompted by the data source's form.
The recommended practice is to deploy the Agent using Kubernetes. A sample manifest is available alongside the releases.
Example deployment:
---
apiVersion: v1
kind: Namespace
metadata:
name: vault-radar
labels:
app: vault-radar-agent
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-radar-agent
namespace: vault-radar
labels:
app: vault-radar-agent
---
# Note: This cluster role binding is only required if you are using the Kubernetes auth method for Vault indexing feature.
# It is needed for Vault to be able to review the Kubernetes service account token and authenticate the Agent.
# See https://developer.hashicorp.com/vault/docs/auth/kubernetes#configuring-kubernetes
# apiVersion: rbac.authorization.k8s.io/v1
# kind: ClusterRoleBinding
# metadata:
# name: vault-radar-agent
# roleRef:
# apiGroup: rbac.authorization.k8s.io
# kind: ClusterRole
# name: system:auth-delegator
# subjects:
# - kind: ServiceAccount
# name: vault-radar-agent
# namespace: vault-radar
---
apiVersion: v1
kind: Secret
metadata:
name: vault-radar-secrets
namespace: vault-radar
labels:
app: vault-radar-agent
type: Opaque
data:
HCP_CLIENT_SECRET: <Base64 Encoded HCP_CLIENT_SECRET>
VAULT_RADAR_GIT_TOKEN: <Base64 Encoded VAULT_RADAR_GIT_TOKEN>
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: vault-radar-agent
namespace: vault-radar
labels:
app: vault-radar-agent
spec:
replicas: 2
selector:
matchLabels:
app: vault-radar-agent
template:
metadata:
labels:
app: vault-radar-agent
spec:
serviceAccountName: vault-radar-agent
automountServiceAccountToken: true
containers:
- name: vault-radar-agent
image: docker.io/hashicorp/vault-radar:latest
command: ["vault-radar"]
args: ["agent", "exec"]
imagePullPolicy: Always
tty: true
resources:
limits:
cpu: 1000m
memory: 1024Mi
requests:
cpu: 100m
memory: 512Mi
env:
- name: HCP_PROJECT_ID
value: <HCP_PROJECT_ID>
- name: HCP_RADAR_AGENT_POOL_ID
value: <HCP_RADAR_AGENT_POOL_ID>
- name: HCP_CLIENT_ID
value: <HCP_CLIENT_ID>
- name: HCP_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: vault-radar-secrets
key: HCP_CLIENT_SECRET
- name: VAULT_RADAR_GIT_TOKEN
valueFrom:
secretKeyRef:
name: vault-radar-secrets
key: VAULT_RADAR_GIT_TOKEN
The example manifest is using Kubernetes Secrets for the sensitive credentials.
This requires base64 encoding the values, and loading the secrets as
environment variables on the pod(s). There are different ways you can configure the
deployment as long as you set the environment variables vault-radar on the pod(s).
When deployed, each pod will output logs to stderr. You can tail the logs as
you would any other Kubernetes pod using the kubectl command:
$ kubectl logs <pod name> -f