HashiCorp Cloud Platform
Install HCP Vault Radar agent
HCP Vault Radar automates the detection and identification of unmanaged secrets in your code so that teams can take appropriate actions to remediate issues.
In the quickstart series of tutorials, you followed HashiCups (a fictitious company) as they set up a proof-of-concept (POC) to use HCP Vault Radar. You set up Vault Radar to scan GitHub repositories for secrets, set up alerts, and automate the creation of support tickets. In this tutorial, you will install the HCP Vault Radar agent in your Kubernetes environment to enable on-premises secret scanning and correlate findings with Vault.
Scenario
HashiCups completed their POC and wants to integrate additional on-premises data sources with Vault Radar. They would also like to determine if HashiCorp Vault stores any secrets that match the findings from the Vault Radar scans.
Alice from the architect team designed the implementation of the Vault Radar agent to their Kubernetes cluster with a dedicated Kubernetes service account. Oliver from the operations team, is going to deploy the Vault Radar agent in their Kubernetes environment. The Vault Radar agent enables you to scan on-premises data sources and correlate findings with HashiCorp Vault.
You will take on the role of Oliver to complete the installation of the Vault Radar agent and scan a Git repository.
Prerequisites
- Access to the HCP Portal with a user assigned the admin role.
- Access to a GitHub account with an organization configured.
- Permission to create a GitHub personal access token.
- Docker installed and running
- minikube installed on your local machine.
Set up the lab
In this tutorial, you will use a public GitHub repository. You can scan both public data sources and on-premises data sources with the Vault Radar agent.
Configure GitHub
Log in to your GitHub account and access the
hcp-vault-radar-foundationsrepository.Create a fork of the repository and select the desired organization.
Review the
main.gofile. Lines 11 and 12 include a username and password. This username and password represent secrets that HashiCups does not want included in their source code.Copy and paste the following URL into your browser. This URL pre-fills the personal access token form with the permissions needed by the Vault Radar agent.
https://github.com/settings/tokens/new?scopes=repo,read:org,admin:repo_hook,admin:org_hook,read:userNote
Set a personal access token TTL according to your organization's current best operational practices. Refer to the GitHub documentation for more information on personal access token.
Enter
vault-radar-agentin the Note field.Click Generate token.
Copy the token and open a new terminal.
Export an environment variable for the token.
$ export VAULT_RADAR_GIT_TOKEN=ghp...snip...XoqYou will use this token to authenticate the Vault Radar agent with your GitHub account.
Start minikube
From the terminal where you exported the GitHub personal access token, create a minikube cluster.
$ minikube start 😄 minikube v1.30.1 on Darwin 13.4 (arm64) ✨ Automatically selected the docker driver 📌 Using Docker Desktop driver with root privileges 👍 Starting control plane node minikube in cluster minikube 🚜 Pulling base image ... 🔥 Creating docker container (CPUs=2, Memory=4000MB) ... 🐳 Preparing Kubernetes v1.26.3 on Docker 23.0.2 ... ▪ Generating certificates and keys ... ▪ Booting up control plane ... ▪ Configuring RBAC rules ... 🔗 Configuring bridge CNI (Container Networking Interface) ... ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5 🔎 Verifying Kubernetes components... 🌟 Enabled addons: storage-provisioner, default-storageclass 🏄 Done! kubectl is now configured to use "minikube" cluster and "default" namespace by defaultThe minikube CLI starts a single-node cluster and configures
kubectlfor the cluster.Verify the cluster is running.
$ minikube status minikube type: Control Plane host: Running kubelet: Running apiserver: Running kubeconfig: Configuredminikube is running and ready to use.
Prepare HCP Vault Radar
You need to create a service principal in HCP to authenticate the Vault Radar agent and a client pool for the agent.
Create a service principal
The Vault Radar agent uses a HCP service principal to authenticate with HCP.
Log in to the HCP Portal, select your organization and the project you want to configure Vault Radar for.
Click Access control (IAM).
Click Service principals.
Click Create service principal.
Enter
vault-radar-agentin the Service principal name text box.Click the Select service pull-down menu and select Vault Radar.
Click the Select role(s) pull-down menu and select Vault Radar Agent.
Click Create service principal.
On the vault-radar-agent screen, click Keys.
Click Generate key.
Copy the Client ID and return to the terminal where you started minikube.
Export an environment variable for the client ID.
$ export HCP_CLIENT_ID="your-client-id"Return to the HCP Portal and copy the Client secret.
Return to the terminal where you exported the
HCP_CLIENT_IDenvironment variable and export theHCP_CLIENT_SECRETenvironment variable.$ export HCP_CLIENT_SECRET="your-client-secret"Return to the HCP Portal and close the Save your key dialog box. You will not be able to retrieve the client secret again once you close the dialog box.
Create a client pool
From the Keys page click Back to service principals, and then click Back to Dashboard.
Click Vault Radar.
Note
If you have not used Vault Radar before, click View Vault Radar.
Click Settings.
Click Agent.
Click Add an agent pool.
In the Agent pool name text box, enter
vault-radar-agent-pool.Click Save and continue.
The Install the agent tab displays the steps to run the agent interactively using the Vault Radar CLI. This tutorial focuses on the preferred method of running the agent in production, which is to deploy the agent in a Kubernetes cluster.
Click Install agent.
Copy the
export HCP_PROJECT_ID=...andexport HCP_RADAR_AGENT_POOL_ID=...commands.Return to the terminal where you exported the
HCP_CLIENT_IDenvironment variable and paste the commands to export the project ID and pool ID.$ export HCP_PROJECT_ID=abc...snip...123 export HCP_RADAR_AGENT_POOL_ID=def...snip...456Verify you have the required environment variables set.
$ printenv | grep -e HCP_ -e VAULT_ HCP_CLIENT_ID=RQO...snip...omK HCP_CLIENT_SECRET=f3r...snip...Ldp HCP_PROJECT_ID=abc...snip...123 HCP_RADAR_AGENT_POOL_ID=def...snip...456 VAULT_RADAR_GIT_TOKEN=ghp...snip...42The vault-radar-agent-pool dialog will remain in the Awaiting connection state until you complete the next section.
Deploy HCP Vault Radar agent
You have set up and collected the information necessary to deploy the Vault Radar agent.
The Vault Radar agent can run interactively using the Vault Radar CLI, or the preferred method of deploying the agent in a Kubernetes cluster. In this section, you will deploy the agent in your minikube cluster.
Create a Kubernetes namespace for the Vault Radar agent.
$ kubectl create -f - <<EOF apiVersion: v1 kind: Namespace metadata: name: vault-radar labels: app: vault-radar-agent EOFExample output:
namespace/vault-radar createdA good practice is to separate workloads into dedicated namespaces.
Create a service account for the Vault Radar agent in the
vault-radarKubernetes namespace.$ kubectl create -f - <<EOF apiVersion: v1 kind: ServiceAccount metadata: name: vault-radar-agent namespace: vault-radar labels: app: vault-radar-agent EOFExample output:
serviceaccount/vault-radar-agent createdDeploy the Vault Radar agent.
$ kubectl create -f - <<EOF apiVersion: apps/v1 kind: Deployment metadata: name: vault-radar-agent namespace: vault-radar labels: app: vault-radar-agent spec: replicas: 2 selector: matchLabels: app: vault-radar-agent template: metadata: labels: app: vault-radar-agent spec: serviceAccountName: vault-radar-agent automountServiceAccountToken: true containers: - name: vault-radar-agent image: docker.io/hashicorp/vault-radar:latest command: ["vault-radar"] args: ["agent", "exec"] imagePullPolicy: Always tty: true resources: limits: cpu: 1000m memory: 1024Mi requests: cpu: 100m memory: 512Mi env: - name: HCP_PROJECT_ID value: "$HCP_PROJECT_ID" - name: HCP_RADAR_AGENT_POOL_ID value: "$HCP_RADAR_AGENT_POOL_ID" - name: HCP_CLIENT_ID value: "$HCP_CLIENT_ID" - name: HCP_CLIENT_SECRET value: "$HCP_CLIENT_SECRET" - name: VAULT_RADAR_GIT_TOKEN value: "$VAULT_RADAR_GIT_TOKEN" EOFExample output:
deployment.apps/vault-radar-agent createdCheck the status of the deployment.
$ kubectl get pods --namespace vault-radar NAME READY STATUS RESTARTS AGE vault-radar-agent-7cc47fb9d6-n24rb 1/1 Running 0 10s vault-radar-agent-7cc47fb9d6-v6nbw 1/1 Running 0 10sNote
If the pod status is
CrashLoopBackOff, check the environment variable values.The Vault Radar agent is running in your Kubernetes cluster.
Scan a data source
With the Vault Radar agent deployed, you can now scan a data source. The agent can scan on-premises data sources such as a self-hosted Git environment, or public data sources such as GitHub.
Return to the HCP Portal.
The vault-radar-agent-pool Status should now display Connected.
Click Finish.
Click Add data sources to agent pool.
Select GitHub Cloud.
Enter the name for the GitHub organization you forked the
hcp-vault-radar-foundationsrepository to.Enter the URI for the GitHub personal access token environment variable.
env://VAULT_RADAR_GIT_TOKENClick Next.
On the Select repositories to monitor page, select the Select repositories to monitor radio button.
Click the checkbox for the hcp-vault-radar-foundations repository, and click Finish (1 selected).
Vault Radar starts scanning the repository for secrets. Once complete, the Top 10 resource risks dashboard displays the findings.
Example dashboard:
Clean up
In the next tutorial, you will update the Vault Radar agent to correlate its findings with secrets stored in HashiCorp Vault. If you plan to continue with the next tutorial, do not perform these clean up steps.
Delete the minikube cluster.
$ minikube deleteDelete the forked GitHub repository from your GitHub organization.
Delete the GitHub personal access token created in this tutorial.
Summary
In this tutorial, you installed the HCP Vault Radar agent in your Kubernetes environment. You then added a data source to the agent pool and scanned a GitHub repository for secrets. All scanning takes place on the agent in your Kubernetes cluster. The agent sends only the hashed findings to the HCP Vault Radar portal.