aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

docs(vault): add Vault worker filter documentation (#2404)

Browse Source 
* docs(vault): add Vault worker filter documentation
pull/2461/head
Irena Rindos 4 years ago committed by GitHub
parent 06370867c7
commit e588623ebd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 38 additions and 11 deletions
Show Stats Download Patch File Download Diff File

18
website/content/docs/concepts/domain-model/credential-stores.mdx
Unescape View File

@ -58,6 +58,14 @@ A Vault credential store has the following additional attributes:
- `namespace` - (optional)
A Vault [namespace][]. Requires Vault Enterprise.
- `worker_filter` <sup>HCP Only</sup> - (optional)
A [filter] used to control which [PKI workers] can handle Vault requests.
This allows the use of private Vault instances with Boundary. PKI workers
deployed in the same network as a private Vault instance can access and relay
Vault requests to Boundary controllers.
~> **Note:** A PKI worker that matches the worker filter must exist before defining the Vault credential store, as it
will perform the Vault calls needed to set up the credential store with Boundary.
### Static Credential Store Attributes
A static credential store has no type-specific attributes.
@ -161,6 +169,10 @@ $ curl https://boundaryproject.io/data/vault/boundary-controller-policy.hcl -O -
$ vault policy write boundary-controller boundary-controller-policy.hcl
```
### Static Credential Store
A static credential store allows user-supplied credentials to be managed by Boundary. Credentials are encrypted and stored directly in Boundary. Currently, the static credential store can hold credentials of type `username_password`.
[token_requirements]: /docs/concepts/domain-model/credential-stores#vault-token-requirements
[token_policy]: /docs/concepts/domain-model/credential-stores#vault-boundary-controller-policy
[vault]: https://www.vaultproject.io
@ -168,7 +180,5 @@ $ vault policy write boundary-controller boundary-controller-policy.hcl
[renewable]: https://www.vaultproject.io/api-docs/auth/token#renewable-1
[periodic]: https://www.vaultproject.io/api-docs/auth/token#token_period
[orphan]: https://www.vaultproject.io/api-docs/auth/token#orphan
### Static Credential Store
A Static credential store allows for a user-supplied credentials managed by Boundary. Credentials are encrypted and stored directly in Boundary. Currently, the static credential store can hold credentials of type `username_password`.
[PKI workers]: /docs/configuration/worker/pki-worker
[filter]: /docs/concepts/filtering/worker-tags

31
website/content/docs/concepts/filtering/worker-tags.mdx
Unescape View File

@ -2,11 +2,11 @@
layout: docs
page_title: Filtering - Worker Tags
description: |-
How to use worker tags to control which workers can handle a given target.
How to use worker tags to control which workers can handle a given resource.
---
This page describes how to use worker tags and filters to control which workers
are allowed to handle a given target. This can be used to control traffic
are allowed to handle a given resource. This can be used to control traffic
locality. As an example, this can be used to ensure that traffic going into a
public cloud is only handled by workers running within that same cloud.
@ -100,11 +100,7 @@ array with the tags intended for the particular key is required:
["prod", "webservers"]
```
# Target Worker Filtering
Once workers have tags, it is possible to use these tags to control which
workers are allowed to handle a given session by specifying a `worker_filter`
attribute when configuring [targets](/docs/concepts/domain-model/targets).
# Worker Filtering
As filters operate on JSON Pointer selectors, the values that are input into the
filter come from the JSON representation of the values in the configuration file
@ -137,3 +133,24 @@ Following are some examples of using these values in filters:
know that you have only one value, an equivalent would be `"/tags/region/0" == "us-east-1"`.
- Grouping: `("us-east-1" in "/tags/region" and "/name" == "web-prod-us-east-1") or "webservers" in "/tags/type"`
# Target Worker Filtering
Once workers have tags, these tags may be used to control which
workers are allowed to manage a given session by specifying a `worker_filter`
attribute when configuring [targets](/docs/concepts/domain-model/targets).
# Vault Worker Filtering <sup>HCP Only</sup>
Tags are used to control which [PKI workers] can manage Vault requests by specifying
a `worker_filter`attribute when configuring [credential stores].
This allows the use of private Vault instances with Boundary. PKI workers
deployed in the same network as a private Vault instance can access and relay
Vault requests to Boundary controllers.
~> **Note:** A PKI worker that matches the worker filter must exist before defining the Vault credential store, as it
will perform the Vault calls needed to set up the credential store with Boundary.
[PKI workers]: /docs/configuration/worker/pki-worker
[credential stores]: /docs/concepts/domain-model/credential-stores#vault-credential-store-attributes

Write Preview
Loading…
Cancel
Save