From e588623ebd3b948433a9087bfa8baaf0aa8ac83b Mon Sep 17 00:00:00 2001 From: Irena Rindos Date: Thu, 15 Sep 2022 13:18:22 -0400 Subject: [PATCH] docs(vault): add Vault worker filter documentation (#2404) * docs(vault): add Vault worker filter documentation --- .../domain-model/credential-stores.mdx | 18 ++++++++--- .../docs/concepts/filtering/worker-tags.mdx | 31 ++++++++++++++----- 2 files changed, 38 insertions(+), 11 deletions(-) diff --git a/website/content/docs/concepts/domain-model/credential-stores.mdx b/website/content/docs/concepts/domain-model/credential-stores.mdx index dedcd8c70a..d15bc95482 100644 --- a/website/content/docs/concepts/domain-model/credential-stores.mdx +++ b/website/content/docs/concepts/domain-model/credential-stores.mdx @@ -58,6 +58,14 @@ A Vault credential store has the following additional attributes: - `namespace` - (optional) A Vault [namespace][]. Requires Vault Enterprise. +- `worker_filter` HCP Only - (optional) + A [filter] used to control which [PKI workers] can handle Vault requests. + This allows the use of private Vault instances with Boundary. PKI workers + deployed in the same network as a private Vault instance can access and relay + Vault requests to Boundary controllers. + ~> **Note:** A PKI worker that matches the worker filter must exist before defining the Vault credential store, as it + will perform the Vault calls needed to set up the credential store with Boundary. + ### Static Credential Store Attributes A static credential store has no type-specific attributes. @@ -161,6 +169,10 @@ $ curl https://boundaryproject.io/data/vault/boundary-controller-policy.hcl -O - $ vault policy write boundary-controller boundary-controller-policy.hcl ``` +### Static Credential Store + +A static credential store allows user-supplied credentials to be managed by Boundary. Credentials are encrypted and stored directly in Boundary. Currently, the static credential store can hold credentials of type `username_password`. + [token_requirements]: /docs/concepts/domain-model/credential-stores#vault-token-requirements [token_policy]: /docs/concepts/domain-model/credential-stores#vault-boundary-controller-policy [vault]: https://www.vaultproject.io @@ -168,7 +180,5 @@ $ vault policy write boundary-controller boundary-controller-policy.hcl [renewable]: https://www.vaultproject.io/api-docs/auth/token#renewable-1 [periodic]: https://www.vaultproject.io/api-docs/auth/token#token_period [orphan]: https://www.vaultproject.io/api-docs/auth/token#orphan - -### Static Credential Store - -A Static credential store allows for a user-supplied credentials managed by Boundary. Credentials are encrypted and stored directly in Boundary. Currently, the static credential store can hold credentials of type `username_password`. +[PKI workers]: /docs/configuration/worker/pki-worker +[filter]: /docs/concepts/filtering/worker-tags diff --git a/website/content/docs/concepts/filtering/worker-tags.mdx b/website/content/docs/concepts/filtering/worker-tags.mdx index 88266019db..2af2cd4874 100644 --- a/website/content/docs/concepts/filtering/worker-tags.mdx +++ b/website/content/docs/concepts/filtering/worker-tags.mdx @@ -2,11 +2,11 @@ layout: docs page_title: Filtering - Worker Tags description: |- - How to use worker tags to control which workers can handle a given target. + How to use worker tags to control which workers can handle a given resource. --- This page describes how to use worker tags and filters to control which workers -are allowed to handle a given target. This can be used to control traffic +are allowed to handle a given resource. This can be used to control traffic locality. As an example, this can be used to ensure that traffic going into a public cloud is only handled by workers running within that same cloud. @@ -100,11 +100,7 @@ array with the tags intended for the particular key is required: ["prod", "webservers"] ``` -# Target Worker Filtering - -Once workers have tags, it is possible to use these tags to control which -workers are allowed to handle a given session by specifying a `worker_filter` -attribute when configuring [targets](/docs/concepts/domain-model/targets). +# Worker Filtering As filters operate on JSON Pointer selectors, the values that are input into the filter come from the JSON representation of the values in the configuration file @@ -137,3 +133,24 @@ Following are some examples of using these values in filters: know that you have only one value, an equivalent would be `"/tags/region/0" == "us-east-1"`. - Grouping: `("us-east-1" in "/tags/region" and "/name" == "web-prod-us-east-1") or "webservers" in "/tags/type"` + +# Target Worker Filtering + +Once workers have tags, these tags may be used to control which +workers are allowed to manage a given session by specifying a `worker_filter` +attribute when configuring [targets](/docs/concepts/domain-model/targets). + + +# Vault Worker Filtering HCP Only +Tags are used to control which [PKI workers] can manage Vault requests by specifying +a `worker_filter`attribute when configuring [credential stores]. + +This allows the use of private Vault instances with Boundary. PKI workers +deployed in the same network as a private Vault instance can access and relay +Vault requests to Boundary controllers. + + ~> **Note:** A PKI worker that matches the worker filter must exist before defining the Vault credential store, as it + will perform the Vault calls needed to set up the credential store with Boundary. + +[PKI workers]: /docs/configuration/worker/pki-worker +[credential stores]: /docs/concepts/domain-model/credential-stores#vault-credential-store-attributes