Skip to content
You are reading Codefi Orchestrate development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

Configure Orchestrate Key Manager

Follow these steps to configure and connect to Key Manager dependencies:

  1. Configure HashiCorp Vault (mandatory)
  2. Configure monitoring (optional). Improve the development experience and debugging.

In addition to the dependencies, Key Manager needs to be configured to define how the service should be exposed and what Key Vault technology it should use (currently only support HashiCorp Vault).

Tip

Configure each microservice using microservice-specific environment variables. Command line options are also available and take precedence over environment variables.

Configuration

Environment Variable Command line option Description Default
KEY_MANAGER_TYPE key-manager-type Vault technology to use. Currently only supports hashicorp-vault hashicorp-vault
REST_HOSTNAME rest-hostname Hostname to expose REST services
REST_PORT rest-port Port to expose REST services 8081

CLI options

See the complete list of command line options for the Key Manager:

Run options

Usage:
  orchestrate key-manager run [flags]

Flags:
  -h, --help                            help for run
      --key-manager-type string         Type of Key Manager Vault (one of ["hashicorp-vault" "azure-key-vault" "ukc-key-vault"])
                                        Environment variable: "KEY_MANAGER_TYPE" (default "hashicorp-vault")
      --metrics-modules strings         List of metrics modules to exposed by prometheus endpoint. Available metric modules are ["http" "tcp" "go" "process" "healthz"], to enable all use ENABLED or to disable all DISABLED.
                                        Environment variable: "METRICS_MODULES" (default [ENABLED])
      --rest-hostname string            Hostname to expose REST services
                                        Environment variable: "REST_HOSTNAME"
      --rest-port uint                  Port to expose REST services
                                        Environment variable: "REST_PORT" (default 8081)
      --vault-addr string               Hashicorp URL of the remote hashicorp vault
                                        Environment variable: "VAULT_ADDR" (default "https://127.0.0.1:8200")
      --vault-burst-limit int           Hashicorp query burst limit
                                        Environment variable: "VAULT_RATE_LIMIT"
      --vault-cacert string             Hashicorp CA certificate
                                        Environment variable: "VAULT_CACERT"
      --vault-capath string             Path toward the CA certificate
                                        Environment variable: "VAULT_CAPATH"
      --vault-client-cert string        Certificate of the client
                                        Environment variable: "VAULT_CLIENT_CERT"
      --vault-client-key string         Hashicorp client key
                                        Environment variable: "VAULT_CLIENT_KEY"
      --vault-client-timeout duration   Hashicorp clean timeout of the client
                                        Environment variable: "VAULT_CLIENT_TIMEOUT" (default 1m0s)
      --vault-max-retries int           Hashicorp max retry for a request
                                        Environment variable: "VAULT_MAX_RETRIES"
      --vault-mount-point string        Specifies the mount point used. Should not start with a //
                                        Environment variable: "VAULT_MOUNT_POINT"  (default "orchestrate")
      --vault-rate-limit float          Hashicorp query rate limit
                                        Environment variable: "VAULT_RATE_LIMIT"
      --vault-skip-verify               Hashicorp skip verification
                                        Environment variable: "VAULT_SKIP_VERIFY"
      --vault-tls-server-name string    Hashicorp TLS server name
                                        Environment variable: "VAULT_TLS_SERVER_NAME"
      --vault-token-file string         Specifies the token file path.
                                        Parameter ignored if the token has been passed by VAULT_TOKEN
                                        Environment variable: "VAULT_TOKEN_FILE"  (default "/vault/token/.vault-token"

Migration options

Usage:
  orchestrate key-manager migrate [command]

Available Commands:
  import-secrets              Import secrets store in old Hashicorp vault

Flags:
  -h, --help                  Help for migrat
ConsenSys has acquired Quorum from J.P. Morgan. Please read the FAQ.
Questions or feedback? You can obtain paid professional support by Consensys at orchestrate@consensys.net