This section contains information on the secret component for the Vela server.

This component is optional and is responsible for integrating with an external secret system based off the configuration provided.

The secret system is used by Vela for storing sensitive application data at rest.

By default, Vela will use the database to store the sensitive data if no other secret system is configured.


The following options are used to configure the component:

NameDescriptionRequiredDefaultEnvironment Variables
secret.vault.addrfully qualified url to the HashiCorp Vault instancetrueN/ASECRET_VAULT_ADDR
secret.vault.auth-methodauthentication method used to obtain token from the HashiCorp Vault instancefalseN/ASECRET_VAULT_AUTH_METHOD
VELA_SECRET_VAULT_AUTH_METHOD Vault role used to connect to the auth/aws/login endpointfalseN/ASECRET_VAULT_AWS_ROLE
secret.vault.driverenables HashiCorp Vault as a secret enginetruefalseSECRET_VAULT
secret.vault.prefixprefix for k/v secrets in the HashiCorp Vault instancefalseN/ASECRET_VAULT_PREFIX
secret.vault.renewalfrequency to renew the token for the HashiCorp Vault instancefalse30mSECRET_VAULT_RENEWAL
secret.vault.tokentoken required to access the HashiCorp Vault instancetrueN/ASECRET_VAULT_TOKEN
secret.vault.versionversion for the k/v backend for the HashiCorp Vault instancetrue2SECRET_VAULT_VERSION


The following drivers are available to configure the component:

vaultuses a HashiCorp Vault instance for storing sensitive data at rest

HashiCorp Vault

From the HashiCorp Vault official website:

HashiCorp Vault enables you to secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.

The below configuration displays an example of starting the Vela server that will connect to a HashiCorp Vault instance:

$ docker run \
  --detach=true \
  --env=VELA_ADDR= \
  --env=VELA_DATABASE_ENCRYPTION_KEY=<encryption-key> \
  --env=VELA_QUEUE_DRIVER=redis \
  --env=VELA_QUEUE_ADDR=redis://<password>@<hostname>:<port>/<database> \
  --env=VELA_PORT=443 \
  --env=VELA_SECRET=<shared-secret> \
  --env=VELA_SERVER_PRIVATE_KEY=<private_key> \
+ --env=VELA_SECRET_VAULT=true \
+ --env=VELA_SECRET_VAULT_TOKEN=<vault-token>
  --env=VELA_SCM_CLIENT=<oauth-client-id> \
  --env=VELA_SCM_SECRET=<oauth-client-secret> \
  --env=VELA_WEBUI_ADDR= \
  --name=server \
  --publish=80:80 \
  --publish=443:443 \
  --restart=always \