Beginning with ClusterControl 1.8.0, it is possible to integrate HashiCorp’s Vault for storing credentials used in ClusterControl. When the controller starts up, it will connect to the Vault server and load the credentials.
Check out this blog post, ClusterControl’s Vault Integration Adds Dynamic Data Security Protections on example configuration on ClusterControl with HashiCorp Vault.
The following is required in order to use the Vault Integration:
- A running Vault Server. It must be reachable from the Controller. This has been tested with Vault v1.4.3.
- ClusterControl version 1.8.0 or later.
The controller must be configured to use Vault. The following parameters are set in
/etc/cmon.cnf (do not set in
/etc/cmon.cnffile is not modified.
The Vault integration feature is enabled as soon as the
vault_token configuration parameter is set. At this stage, provided there is a Vault server listening on the
vault_addr, then any new cluster that is created will store its credentials in Vault.
Credentials of existing clusters are not affected until
vault_auto_migrate have been enabled.
Since the Vault settings are applied to
/etc/cmon.cnf, then these are global for all clusters. Hence, it is not possible to migrate one cluster at a time.
Reverting the Vault integration
Should you want to revert this process, you should follow these steps:
- Get all the keys and values from the Vault for all of the clusters.
- Stop cmon process.
- Remove Vault configuration from
- Add the keys and values you extracted from the Vault into respective configuration files in
/etc/cmon.d. You can use the backup copy of the configuration from before Vault has been used but please keep in mind that some additional passwords might have been added in the meantime – double-check that your old configuration files contain all the data that is stored in the Vault.
- In this version, ClusterControl only supports the KV v2 secrets engine in Vault.
- Currently, the Controller must be restarted to re-read credentials from Vault.
- Updating a credential in Vault will not change the underlying credential on the database node. Thus, when changing a password, then the account must be updated on the database node(s).
- Not been tested with CMON HA.
- The cmon-events, cmon-cloud, cmon-ssh services have not been migrated to use Vault yet. Hence the passwords are still present in
/etc/cmon.cnf. You can ensure that the config files used by these services are reconfigured and then drop the passwords completely from