Deploy Vault Radar Agent(s)

Beta feature

This feature is currently available as beta. The beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production.

The following environment variables will need to be set in order for the agent run and connect to HCP successfully:

It is recommended to deploy the Agent using Kubernetes. A sample manifest is included alongside the releases. An example deployment for the Agent may looks something like this:

---
apiVersion: v1
kind: Namespace
metadata:
  name: vault-radar
  labels:
    app: vault-radar-agent

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: vault-radar-agent
  namespace: vault-radar
  labels:
    app: vault-radar-agent

---
# Note: This cluster role binding is only required if you are using the Kubernetes auth method for Vault indexing feature.
# It is needed for Vault to be able to review the Kubernetes service account token and authenticate the Agent.
# See https://developer.hashicorp.com/vault/docs/auth/kubernetes#configuring-kubernetes

# apiVersion: rbac.authorization.k8s.io/v1
# kind: ClusterRoleBinding
# metadata:
#   name: vault-radar-agent
# roleRef:
#   apiGroup: rbac.authorization.k8s.io
#   kind: ClusterRole
#   name: system:auth-delegator
# subjects:
#   - kind: ServiceAccount
#     name: vault-radar-agent
#     namespace: vault-radar

---
apiVersion: v1
kind: Secret
metadata:
  name: vault-radar-secrets
  namespace: vault-radar
  labels:
    app: vault-radar-agent
type: Opaque
data:
  HCP_CLIENT_SECRET: <Base64 Encoded HCP_CLIENT_SECRET>
  VAULT_RADAR_GIT_TOKEN: <Base64 Encoded VAULT_RADAR_GIT_TOKEN>
  
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: vault-radar-agent
  namespace: vault-radar
  labels:
    app: vault-radar-agent
spec:
  replicas: 2
  selector:
    matchLabels:
      app: vault-radar-agent
  template:
    metadata:
      labels:
        app: vault-radar-agent
    spec:
      serviceAccountName: vault-radar-agent
      automountServiceAccountToken: true
      containers:
        - name: vault-radar-agent
          image: docker.io/hashicorp/vault-radar:latest
          command: ["vault-radar"]
          args: ["agent", "exec"]
          imagePullPolicy: Always
          tty: true
          resources:
            limits:
              cpu: 1000m
              memory: 1024Mi
            requests:
              cpu: 100m
              memory: 512Mi
          env:
            - name: HCP_PROJECT_ID
              value: <HCP_PROJECT_ID>
            - name: HCP_RADAR_AGENT_POOL_ID
              value: <HCP_RADAR_AGENT_POOL_ID>
            - name: HCP_CLIENT_ID
              value: <HCP_CLIENT_ID>
            - name: HCP_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: vault-radar-secrets
                  key: HCP_CLIENT_SECRET
            - name: VAULT_RADAR_GIT_TOKEN
              valueFrom:
                secretKeyRef:
                  name: vault-radar-secrets
                  key: VAULT_RADAR_GIT_TOKEN

The example manifest is using Kubernetes Secrets for the sensitive credentials, this requires base64 encoding the values, and then the secrets are loaded as environment variables on the pod(s). There are many ways you can configure the deployment as long as the environment variables vault-radar requires are set on the pod(s).

When deployed, each pod will output logs to STDOUT. You can tail the logs as you would any other kubernetes pod using the kubectl command:

$ kubectl logs <pod name> -f

You will need to set environment variables for vault-radar substituting the actual values for the <PLACEHOLDERS>:

$ export HCP_PROJECT_ID=<HCP_PROJECT_ID>
$ export HCP_CLIENT_ID=<HCP_CLIENT_ID>
$ export HCP_CLIENT_SECRET=<HCP_CLIENT_SECRET>
$ export HCP_RADAR_AGENT_POOL_ID=<HCP_RADAR_AGENT_POOL_ID>

You can then start the agent by running:

$ vault-radar agent exec

If everything is configured correctly the agent will run in the foreground and log to STDOUT.