HashiCorp: Configure Groundplex nodes

Configure Groundplex nodes to use a HashiCorp Vault.

Overview

A secrets-config.json node configuration file provides the information that the Groundplex nodes need to access secrets.
  • Permissions to access, update, and restart the Groundplex nodes
In the node configuration file, you will enter the information you collected when setting up the Vault.
  1. Create a secrets-config.json file.
    1. Copy and paste the following JSON structure and replace the placeholders with the appropriate values.
      • Approle
      • LDAP
       {
  "HCP" : [
    {
      "alias": "config-name",
      "namespace": "vault-namespace",
      "location": "cluster-url",
      "project_space": "/snaplogic/shared",
      "auth_method": "approle",
      "role_id": "roleid",
      "secret_id": "secretid",
      "auth_path": "auth-name"
    },
    ...
  ]
}
      alias A unique name for the configuration object in this file.
      namespace
      The Vault namespace depends on the HashiCorp product.
      • In HashiCorp Cloud Platform (HCP),
        • Default: admin
        • The name of the namespace that you created.
      • In HashiCorp Enterprise, the name of the namespace that you created.
      • In HashiCorp Open Source, root.
      location The URL of the private Cluster. This URL establishes peer communication with your Groundplex nodes.
      project_space Optional. If specified, restricts the use of secrets to accounts in the specified project space. Use this format: /<org>/<project_space>[/<project_name>] where the <project_name> is optional. Example: 
      /<org>/<project_space>/<project>, 
                  /<org>/shared, /<org>/<project_space>/shared
      auth_method The authentication method to use: approle.
      role_id The RoleID of the role you created.
      secret_id The SecretID you generated for the role you created.
      auth_path Optional. If specified, uses the specified authentication method. If not specified, Snaplex nodes use AppRole authentication by default. 
       {
  "HCP" : [
    {
      "alias": "config-name",
      "namespace": "vault-namespace",
      "location": "cluster-url",
      "project_space": "/snaplogic/shared",
      "auth_method": "ldap",
      "username": "ldap-username",
      "password": "ldap-password",
      "auth_path": "auth-name"
    },
    ...
  ]
}
      alias A unique name for the configuration object in this file.
      namespace
      The Vault namespace depends on the HashiCorp product.
      • In HashiCorp Cloud Platform (HCP),
        • Default: admin
        • The name of the namespace that you created.
      • In HashiCorp Enterprise, the name of the namespace that you created.
      • In HashiCorp Open Source, root.
      location The URL of the private Cluster. This URL establishes peer communication with your Groundplex nodes.
      project_space Optional. If specified, restricts the use of secrets to accounts in the specified project space. Use this format: /<org>/<project_space>[/<project_name>] where the <project_name> is optional. Example: 
      /<org>/<project_space>/<project>, 
                  /<org>/shared, /<org>/<project_space>/shared
      auth_method The authentication method to use: ldap.
      username The username for authentication on your LDAP server.
      password The password for authentication on your LDAP server.
      auth_path Optional. If specified, uses the specified authentication method. If not specified, Snaplex nodes use the default ldap authentication method.

      For every Vault, you need a Vault configuration object inside the HCP array with the appropriate values.

    2. Save the file.
  2. Configure each Groundplex node.
    1. Copy the secrets-config.json file to the /etc/snaplogic directory.
    2. Restart the JCC service.
      On Linux, /opt/snaplogic/bin/jcc.sh restart

This secrets-config.json file sets up connections to a variety of Vaults:

  • Approle
  • LDAP
 {
  "HCP": [
    {
      "alias": "approle",
      "namespace": "admin/developer",
      "location": "https://qa-vault-cluster-public-vault-b0030966.7e5cc021.z1.hashicorp.cloud:8200/",
      "auth_method": "approle",
      "role_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "secret_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    },
    {
      "alias": "custom_approle",
      "namespace": "admin/developer",
      "location": "https://qa-vault-cluster-public-vault-b0030966.7e5cc021.z1.hashicorp.cloud:8200/",
      "auth_method": "approle",
      "role_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "secret_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "auth_path": "custom_approle"
    },
  ]
}

 {
  "HCP" : [
    {
      "alias": "hr",
      "namespace": "hradmin/recruiter",
      "location": "https://my-hr-cluster.vault.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.aws.hashicorp.cloud:8200",
      "auth_method":"ldap"
      "username": "[email protected]",
      "password": "Doe's1password"
    },
    {
      "alias": "custom_ldap",
      "namespace": "admin/developer",
      "location": "https://vault-cluster-public-vault-b68453566.27e35cc0.z1.hashicorp.cloud:8200/",
      "auth_method": "ldap",
      "username": "[email protected]",
      "password": "PWd4Doe",
      "auth_path": "custom_ldap",
      "project_space": ""
    }
  ]
}
Configure endpoint accounts to connect to the secrets manager.