Deploy Vault Radar Agent(s)

Beta feature

This feature is currently available as beta. The beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production.

The following environment variables will need to be set in order for the agent run and connect to HCP successfully:

It is recommended to deploy the Agent using Kubernetes. A sample manifest is included alongside the releases. An example deployment for the Agent may looks something like this:

---apiVersion: v1kind: Namespacemetadata:  name: vault-radar  labels:    app: vault-radar-agent---apiVersion: v1kind: ServiceAccountmetadata:  name: vault-radar-agent  namespace: vault-radar  labels:    app: vault-radar-agent---# Note: This cluster role binding is only required if you are using the Kubernetes auth method for Vault indexing feature.# It is needed for Vault to be able to review the Kubernetes service account token and authenticate the Agent.# See https://developer.hashicorp.com/vault/docs/auth/kubernetes#configuring-kubernetes# apiVersion: rbac.authorization.k8s.io/v1# kind: ClusterRoleBinding# metadata:#   name: vault-radar-agent# roleRef:#   apiGroup: rbac.authorization.k8s.io#   kind: ClusterRole#   name: system:auth-delegator# subjects:#   - kind: ServiceAccount#     name: vault-radar-agent#     namespace: vault-radar---apiVersion: v1kind: Secretmetadata:  name: vault-radar-secrets  namespace: vault-radar  labels:    app: vault-radar-agenttype: Opaquedata:  HCP_CLIENT_SECRET: <Base64 Encoded HCP_CLIENT_SECRET>  VAULT_RADAR_GIT_TOKEN: <Base64 Encoded VAULT_RADAR_GIT_TOKEN>  ---apiVersion: apps/v1kind: Deploymentmetadata:  name: vault-radar-agent  namespace: vault-radar  labels:    app: vault-radar-agentspec:  replicas: 2  selector:    matchLabels:      app: vault-radar-agent  template:    metadata:      labels:        app: vault-radar-agent    spec:      serviceAccountName: vault-radar-agent      automountServiceAccountToken: true      containers:        - name: vault-radar-agent          image: docker.io/hashicorp/vault-radar:latest          command: ["vault-radar"]          args: ["agent", "exec"]          imagePullPolicy: Always          tty: true          resources:            limits:              cpu: 1000m              memory: 1024Mi            requests:              cpu: 100m              memory: 512Mi          env:            - name: HCP_PROJECT_ID              value: <HCP_PROJECT_ID>            - name: HCP_RADAR_AGENT_POOL_ID              value: <HCP_RADAR_AGENT_POOL_ID>            - name: HCP_CLIENT_ID              value: <HCP_CLIENT_ID>            - name: HCP_CLIENT_SECRET              valueFrom:                secretKeyRef:                  name: vault-radar-secrets                  key: HCP_CLIENT_SECRET            - name: VAULT_RADAR_GIT_TOKEN              valueFrom:                secretKeyRef:                  name: vault-radar-secrets                  key: VAULT_RADAR_GIT_TOKEN

The example manifest is using Kubernetes Secrets for the sensitive credentials, this requires base64 encoding the values, and then the secrets are loaded as environment variables on the pod(s). There are many ways you can configure the deployment as long as the environment variables vault-radar requires are set on the pod(s).

When deployed, each pod will output logs to STDOUT. You can tail the logs as you would any other kubernetes pod using the kubectl command:

$ kubectl logs <pod name> -f

You will need to set environment variables for vault-radar substituting the actual values for the <PLACEHOLDERS>:

$ export HCP_PROJECT_ID=<HCP_PROJECT_ID>$ export HCP_CLIENT_ID=<HCP_CLIENT_ID>$ export HCP_CLIENT_SECRET=<HCP_CLIENT_SECRET>$ export HCP_RADAR_AGENT_POOL_ID=<HCP_RADAR_AGENT_POOL_ID>

You can then start the agent by running:

$ vault-radar agent exec

If everything is configured correctly the agent will run in the foreground and log to STDOUT.