Blog

Lock Down Your Network with Traefik Enterprise and Vault

Every organization has secrets. Likewise, every application and service must manage sensitive information – such as usernames and passwords, license keys, database credentials, and so on – that should be kept away from prying eyes.

Among the most important secrets that modern apps must maintain are the TLS certificates that make encrypted HTTPS communications possible. The good news for Traefik Enterprise users is that handling these secrets is now easier than ever, thanks to support for Vault in Traefik Enterprise 2.3.

Vault is an open source tool developed and maintained by HashiCorp that provides a secure and encrypted central data store for secrets. Traefik Enterprise 2.3 can use Vault for certificate management in two ways. First, it can use Vault as a key-value store for certificates. Second, it can enlist Vault as a certificate resolver, allowing it to dynamically generate certificates on the fly. Let’s examine both use cases.

Using Vault as a Key-Value Store for Certificates

Traefik has long been able to discover and connect with a variety of key-value stores, such as Consul, etcd, and ZooKeeper. The Vault provider for Traefik Enterprise 2.3 and later can connect to Vault in a similar way, using it as a key-value store for storing and retrieving TLS certificates.

The first step is to setup the Vault secrets engine for use with Traefik Enterprise. As of now, Traefik Enterprise supports the KV Secrets Engine – Version 2, which is currently the default and is easily enabled from the command line. It’s a good idea to use a dedicated KV store for TLS certificates, and bear in mind that all certificates must be base64-encoded and stored in the root of the KV secrets engine.

From there, it’s a straightforward matter of enabling the Vault Provider in Traefik Enterprise’s static configuration. This takes just a few lines of code, and a typical example (in YAML) might look like this:

providers:
  plugin:
    vault:
      url: "http://127.0.0.1:8200"
      token: "s.CUDDqqjiIFXF60KVSeJOxeb5"
      enginePath: "secret"
      syncInterval: "5s"
      rescanInterval: "60s"

This snippet points to the URL of the Vault server and supplies the token that’s needed to authenticate with it. (The Vault Provider only supports token authentication at this time.) It also specifies how often the provider will pull data from the Vault KV store.

That’s it! Once configured, Traefik Enterprise will detect certificates in the store to serve them. And, as usual for Traefik Enterprise, the configuration refreshes automatically whenever you insert or delete certificates from the Vault store.

If you’d like to learn more about how to setup and configure the Vault Provider for Traefik Enterprise, check out the documentation.

Using Vault as a Certificate Resolver for PKI

Experienced Traefik users will be familiar with its support for automatic certificate generation using the ACME protocol and compatible service providers, such as Let’s Encrypt. Traefik Enterprise 2.3 adds a new, additional means of automating certificate generation in the form of support for Vault Public Key Infrastructure (PKI).

The Vault PKI secrets engine includes built-in authentication and authorization functions that make it possible to generate certificates on the fly, without getting bogged down in the traditional, manual process of generating keys and submitting to a certificate authority (CA).

This automation is especially valuable in dynamic, microservices-based environments, where services tend to be short-lived and container instances are rapidly created and destroyed, according to demand.

Setting up Vault as a certificate resolver is almost as easy as configuring the Vault Provider, as discussed earlier. Once Vault is installed with the PKI secrets engine enabled, configuring the feature requires adding just a few lines to Traefik Enterprise’s static configuration. For example:

certificatesResolvers:
  resolverName:
	vault:
  	url: "http://127.0.0.1:8200"
  	token: "s.CUDDqqjiIFXF60KVSeJOxeb5" # Your Vault auth token goes here
  	enginePath: "pki"
  	role: "vault-role"

Once the certificate resolver is configured, assigning it to routes in Traefik Enterprise will trigger Vault to generate certificates for requests that match the appropriate patterns. To read more about how this works, consult the documentation. There’s also a handy user guide available that walks through the process of deploying a simple TLS-enabled service with Vault on Kubernetes.

Get Secure with Traefik Enterprise

Traefik Labs is pleased to offer support for Vault in Traefik Enterprise as further proof of our commitment to provide best-of-breed features that security-conscious enterprises demand. Using Vault to manage secrets is a step forward in securing your network; using Vault with Traefik Enterprise makes taking that step even easier. If you’d like to learn more about these and other advanced features of Traefik Enterprise, the best way is to try them out for yourself. Sign up for a 30-day free trial and explore how Traefik Enterprise can help make your infrastructure more nimble, reliable, and secure.