Skip to main content

Deploying a self-hosted secret manager

Blink enables seamless integration with a vault established within a customer's personalized environment, guaranteeing secure management of connections within their controlled setting. It's important to note that Blink refrains from storing any confidential data, as it is exclusively maintained within the designated secret manager.

To configure a self-hosted vault secret manager you need to start a self-hosted runner with additional configuration, including the vault URL and root token.

  1. Create a new runner in your workspace.

runner

  1. Make sure you can access the vault server using vault URL and root token. Inside vault ensure that there is a secret engine (type kv mounted on path /secret). If it does not exist, define it in the vault UI by clicking Enable new engine.

runner

  1. Set new runner group as default for workspace. On the Runners page, click ThreeDots > Set as default. OR Select the checkbox Set as default in Add new runner group.

runner

  1. To proceed, click on the Continue button located in the bottom-right corner. This will prompt the opening of a dialogue box where you can access the command required to install the Runner in your environment. Simply copy this command to your clipboard by clicking on the icon positioned in the top-right corner.
  1. Edit the command to add the environment variables: VAULT_URL and VAULT_ROOT_TOKEN.

Docker example command:

docker run -d --name blink-runner -e VAULT_URL=<Vault URL> -e VAULT_ROOT_TOKEN=<Vault root token> -e CTRL_URL="https://app.blinkops.com" -e BLINK_RUNNER_CONFIG=/blink/config.yml --restart unless-stopped -v /var/run/docker.sock:/var/run/docker.sock --add-host "host.docker.internal:host-gateway" blinkops/blink-runner: ./blink-runner -auth <API_KEY>

Kubernetes command example:

helm install -n blink --create-namespace --set image.tag=2.3.220823-130R --set secret.appKey=<Secret key> --set config.runner.ctrl_url=https://app.blinkops.com --set env.VAULT_URL=<Vault URL> --set env.VAULT_ROOT_TOKEN=<Vault root token>  blink-runner oci://public.ecr.aws/x9s7x6t7/blink-runner
info

When using the CloudFormation template, make sure to provide the OnPremVaultUrl and OnPremVaultRootToken parameters.

  1. Refresh the Runners page to ensure the runner has started successfully.

runner

note

The default workspace runner determines the storage location for new workspace connections. If the runner is configured with a self-hosted secret manager, the connections will be stored there. In the absence of a connected secret manager, the connections will be stored in Blink's secret manager.

  1. To verify where the connection is being stored look at the secret manager name below the connection name on the Connections page.

runner

blink_cloud_sm indicates Blink's secret manager. Anything else indicates customer's self hosted secret manager.