Configure Orchestrate Key Manager
Follow these steps to configure and connect to Key Manager dependencies:
- Configure HashiCorp Vault (mandatory)
- Configure monitoring (optional). Improve the development experience and debugging.
In addition to the dependencies, Key Manager needs to be configured to define how the service should be exposed and what Key Vault technology it should use (currently only support HashiCorp Vault).
Tip
Configure each microservice using microservice-specific environment variables. Command line options are also available and take precedence over environment variables.
Configuration
| Environment Variable | Command line option | Description | Default |
|---|---|---|---|
KEY_MANAGER_TYPE | key-manager-type | Vault technology to use. Currently only supports hashicorp-vault | hashicorp-vault |
REST_HOSTNAME | rest-hostname | Hostname to expose REST services | |
REST_PORT | rest-port | Port to expose REST services | 8081 |
CLI options
See the complete list of command line options for the Key Manager:
Run options
Usage:
orchestrate key-manager run [flags]
Flags:
-h, --help help for run
--key-manager-type string Type of Key Manager Vault (one of ["hashicorp-vault" "azure-key-vault" "ukc-key-vault"])
Environment variable: "KEY_MANAGER_TYPE" (default "hashicorp-vault")
--metrics-modules strings List of metrics modules to exposed by prometheus endpoint. Available metric modules are ["http" "tcp" "go" "process" "healthz"], to enable all use ENABLED or to disable all DISABLED.
Environment variable: "METRICS_MODULES" (default [ENABLED])
--rest-hostname string Hostname to expose REST services
Environment variable: "REST_HOSTNAME"
--rest-port uint Port to expose REST services
Environment variable: "REST_PORT" (default 8081)
--vault-addr string Hashicorp URL of the remote hashicorp vault
Environment variable: "VAULT_ADDR" (default "https://127.0.0.1:8200")
--vault-burst-limit int Hashicorp query burst limit
Environment variable: "VAULT_RATE_LIMIT"
--vault-cacert string Hashicorp CA certificate
Environment variable: "VAULT_CACERT"
--vault-capath string Path toward the CA certificate
Environment variable: "VAULT_CAPATH"
--vault-client-cert string Certificate of the client
Environment variable: "VAULT_CLIENT_CERT"
--vault-client-key string Hashicorp client key
Environment variable: "VAULT_CLIENT_KEY"
--vault-client-timeout duration Hashicorp clean timeout of the client
Environment variable: "VAULT_CLIENT_TIMEOUT" (default 1m0s)
--vault-max-retries int Hashicorp max retry for a request
Environment variable: "VAULT_MAX_RETRIES"
--vault-mount-point string Specifies the mount point used. Should not start with a //
Environment variable: "VAULT_MOUNT_POINT" (default "orchestrate")
--vault-rate-limit float Hashicorp query rate limit
Environment variable: "VAULT_RATE_LIMIT"
--vault-skip-verify Hashicorp skip verification
Environment variable: "VAULT_SKIP_VERIFY"
--vault-tls-server-name string Hashicorp TLS server name
Environment variable: "VAULT_TLS_SERVER_NAME"
--vault-token-file string Specifies the token file path.
Parameter ignored if the token has been passed by VAULT_TOKEN
Environment variable: "VAULT_TOKEN_FILE" (default "/vault/token/.vault-token"
Migration options
Usage:
orchestrate key-manager migrate [command]
Available Commands:
import-secrets Import secrets store in old Hashicorp vault
Flags:
-h, --help Help for migrat