Bank-Vaults tries to automate as much as possible for handling TLS certificates.
- The
vault-operator
automates the creation and renewal of TLS certificates for Vault. - The
vault
Helm Chart automates only the creation of TLS certificates for Vault via Sprig.
Both the operator and the chart generate a Kubernetes Secret holding the TLS certificates, this is named ${VAULT_CR_NAME}-tls
. For most examples in the Bank-Vaults project repository, the name of the secret is vault-tls
.
The Secret data keys are:
ca.crt
server.crt
server.key
Note: The operator doesn’t overwrite this Secret if it already exists, so you can provide this certificate in any other way, for example using cert-manager or by simply placing it there manually.
Operator custom TLS settings 🔗︎
The following attributes influence the TLS settings of the operator. The ca.crt
key is mandatory in existingTlsSecretName, otherwise the Bank-Vaults components can’t verify the Vault server certificate.
CANamespaces 🔗︎
The list of namespaces where the generated CA certificate for Vault should be distributed. Use ["*"] for all namespaces.
Default value: []
ExistingTLSSecretName 🔗︎
The name of the secret that contains a TLS server certificate, key, and the corresponding CA certificate. The secret must be in the kubernetes.io/tls type secret keys + ca.crt key format. If the attribute is set, the operator uses the certificate already set in the secret, otherwise it generates a new one.
The ca.crt
key is mandatory, otherwise the Bank-Vaults components can’t verify the Vault server certificate.
Default value: ""
TLSAdditionalHosts 🔗︎
A list hostnames or IP addresses to add to the SAN on the automatically generated TLS certificate.
Default value: []
TLSExpiryThreshold 🔗︎
The expiration threshold of the Vault TLS certificate in Go Duration format.
Default value: 168h
Using the generated custom TLS certificate with vault-operator 🔗︎
To use an existing secret which contains the TLS certificate, define existingTlsSecretName in the Vault custom resource.
Generate custom certificates with CFSSL 🔗︎
If you don’t want to use the certificates generated by Helm or the Bank-Vaults operator, the easiest way to create a custom certificate for Bank-Vaults is using CFSSL.
The https://github.com/banzaicloud/bank-vaults-docs/tree/master/docs/tls directory holds a set of custom CFSSL configurations which are prepared for the Helm release name vault
in the default
namespace. Of course, you can put any other certificates into the Secret below, this is just an example.
-
Install CFSSL.
-
Create a CA:
cfssl genkey -initca csr.json | cfssljson -bare ca
-
Create a server certificate:
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=config.json -profile=server server.json | cfssljson -bare server
-
Put these certificates (and the server key) into a Kubernetes Secret:
kubectl create secret generic vault-tls --from-file=ca.crt=ca.pem --from-file=server.crt=server.pem --from-file=server.key=server-key.pem
-
Install the Vault instance:
- With the chart which uses this certificate:
helm upgrade --install vault ../charts/vault --set tls.secretName=vault-tls
- With the operator, create a Vault custom resource, and apply it:
kubectl apply -f vault-cr.yaml
Generate custom certificates with cert-manager 🔗︎
You can use the following cert-manager custom resource to generate a certificate for Bank-Vaults.
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: test-selfsigned
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: selfsigned-cert
spec:
commonName: vault
usages:
- server auth
dnsNames:
- vault
- vault.default
- vault.default.svc
- vault.default.svc.cluster.local
ipAddresses:
- 127.0.0.1
secretName: selfsigned-cert-tls
issuerRef:
name: test-selfsigned
EOF