HashiCorp Cloud Platform
Deploy Vault Radar Agent
Beta feature
This feature is currently available as beta. The beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production.
The HCP Vault Radar agent allows you to scan on-premises data sources for secrets that are not accessible by the cloud scanner, and enable correlation between secrets found by Vault Radar that are store in Vault Enterprise.
Prerequisites
Access to HCP with an account that can create admin level service principals
Vault Radar CLI installed
The following environment variables are required to run the agent run and connect to HCP.
Create a service principal
Project-level service principals are designed to interact with resources within a specific project in an organization. By default, they can only access resources in the project where they were created. However, these service principals can be assigned roles in additional projects beyond their original scope.
Create a project level service principal with the admin role assigned.
Generate a key for the service principal.
Export an environment variable for the client ID and client secret.
$ export HCP_CLIENT_ID=actual-client-id HCP_CLIENT_SECRET=actual-client-secret
Create an agent pool in the HCP Portal
An agent pool is a group of agents that share the same
HCP_RADAR_AGENT_POOL_ID, enabling higher throughput by horizontal scaling the
number of agents.
Navigate to the HCP Portal navigate to HCP Vault Radar.
Click Settings.
Click Agent.
Click Add an agent pool and follow the prompts to create a new agent pool.
The final page displays the required configuration information. You can retrieve this information later from the Agent section of the settings page.
From the Connect the agent page, copy the commands to create environment variables for the pool ID and project ID.
Example command:
$ export HCP_RADAR_AGENT_POOL_ID=actual-pool-id export HCP_PROJECT_ID=actual-project-id
Configure secret values
For most data sources the agent is going to need credentials to authenticate with the data source itself. When configuring your data source on HCP, you may be prompted to define a credential needed for the integration to work. Note: The agent is expecting a URI. Currently the only resource supported is an environment variable. An example of an environment variable URI is:
$ env://ENV_VARIABLE_NAME
For example, if you are configuring a GitHub data source, you are going to need to generate a GitHub PAT for the Agent to use and save the value of that PAT local to the Agent as an environment variable. If you saved the environment variable as VAULT_RADAR_GIT_TOKEN then the URI for that variable entered on HCP should be env://VAULT_RADAR_GIT_TOKEN.
Additional configuration
The agent will respect configurations set by an .hashicorp/vault-radar/ignore.yaml. See:
Connect a data source
A data source can be set up and managed from the Vault Radar module in the HCP Portal. Select Settings, then Data Sources, and then press the Add data source to begin.
Select agent scan.
Select the type of data source you'd like to setup and provide the information prompted by the data source's form.
It is recommended to deploy the Agent using Kubernetes. A sample manifest is included alongside the releases. An example deployment for the Agent may looks something like this:
---
apiVersion: v1
kind: Namespace
metadata:
name: vault-radar
labels:
app: vault-radar-agent
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-radar-agent
namespace: vault-radar
labels:
app: vault-radar-agent
---
# Note: This cluster role binding is only required if you are using the Kubernetes auth method for Vault indexing feature.
# It is needed for Vault to be able to review the Kubernetes service account token and authenticate the Agent.
# See https://developer.hashicorp.com/vault/docs/auth/kubernetes#configuring-kubernetes
# apiVersion: rbac.authorization.k8s.io/v1
# kind: ClusterRoleBinding
# metadata:
# name: vault-radar-agent
# roleRef:
# apiGroup: rbac.authorization.k8s.io
# kind: ClusterRole
# name: system:auth-delegator
# subjects:
# - kind: ServiceAccount
# name: vault-radar-agent
# namespace: vault-radar
---
apiVersion: v1
kind: Secret
metadata:
name: vault-radar-secrets
namespace: vault-radar
labels:
app: vault-radar-agent
type: Opaque
data:
HCP_CLIENT_SECRET: <Base64 Encoded HCP_CLIENT_SECRET>
VAULT_RADAR_GIT_TOKEN: <Base64 Encoded VAULT_RADAR_GIT_TOKEN>
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: vault-radar-agent
namespace: vault-radar
labels:
app: vault-radar-agent
spec:
replicas: 2
selector:
matchLabels:
app: vault-radar-agent
template:
metadata:
labels:
app: vault-radar-agent
spec:
serviceAccountName: vault-radar-agent
automountServiceAccountToken: true
containers:
- name: vault-radar-agent
image: docker.io/hashicorp/vault-radar:latest
command: ["vault-radar"]
args: ["agent", "exec"]
imagePullPolicy: Always
tty: true
resources:
limits:
cpu: 1000m
memory: 1024Mi
requests:
cpu: 100m
memory: 512Mi
env:
- name: HCP_PROJECT_ID
value: <HCP_PROJECT_ID>
- name: HCP_RADAR_AGENT_POOL_ID
value: <HCP_RADAR_AGENT_POOL_ID>
- name: HCP_CLIENT_ID
value: <HCP_CLIENT_ID>
- name: HCP_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: vault-radar-secrets
key: HCP_CLIENT_SECRET
- name: VAULT_RADAR_GIT_TOKEN
valueFrom:
secretKeyRef:
name: vault-radar-secrets
key: VAULT_RADAR_GIT_TOKEN
The example manifest is using Kubernetes Secrets for the sensitive credentials, this requires base64 encoding the values, and then the secrets are loaded as environment variables on the pod(s). There are many ways you can configure the deployment as long as the environment variables vault-radar requires are set on the pod(s).
When deployed, each pod will output logs to stderr. You can tail the logs as you would any other kubernetes pod using the kubectl command:
$ kubectl logs <pod name> -f