You are looking at the documentation of a prior release. To read the documentation of the latest release, please visit here.
New to KubeVault? Please start here.
Prerequisite : To configure TLS/SSL in
cert-manager to issue certificates. So first you have to make sure that the cluster has
cert-manager installed. To install
cert-manager in your cluster following steps here.
To issue a certificate, the following cr of
cert-manager is used:
Issuer/ClusterIssuer: Issuers and ClusterIssuers represent certificate authorities (CAs) that are able to generate signed certificates by honoring certificate signing requests. All cert-manager certificates require a referenced issuer that is in a ready condition to attempt to honor the request. You can learn more details here.
cert-manager has the concept of Certificates that define the desired x509 certificate which will be renewed and kept up to date. You can learn more details here.
VaultServer CRD Specification:
KubeValt uses the following cr fields to enable SSL/TLS encryption in
spec: tls: issuerRef: apiGroup: "cert-manager.io" kind: Issuer name: vault-issuer certificates: - alias: server secretName: vautl-server-certs subject: organizations: - kubevault - alias: client secretName: vault-client-certs subject: organizations: - kubevault
spec.tls contains the following fields:
tls.issuerRef - is an
optional field that references to the
ClusterIssuer custom resource object of cert-manager. It is used to generate the necessary certificate secrets for Elasticsearch. If the
issuerRef is not specified, the operator creates a self-signed CA and also creates necessary certificate (valid: 365 days) secrets using that CA.
apiGroup- is the group name of the resource that is being referenced. Currently, the only supported value is
kind- is the type of resource that is being referenced. The supported values are
name- is the name of the resource (
ClusterIssuer) that is being referenced.
tls.certificates - is an
optional field that specifies a list of certificate configurations used to configure the certificates. It has the following fields:
alias - represents the identifier of the certificate. It has the following possible value:
server- is used for the server certificate configuration.
client- is used for the client certificate configuration.
storage- is used for the storage certificate configuration.
ca- is used for the ca certificate configuration.
secretName - (
"<vault-name>-alias-certs" ) - specifies the k8s secret name that holds the certificates.
subject - specifies an
X.509 distinguished name (DN). It has the following configurable fields:
nil) - is a list of organization names.
nil) - is a list of organization unit names.
nil) - is a list of country names (ie. Country Codes).
nil) - is a list of locality names.
nil) - is a list of province names.
nil) - is a list of street addresses.
nil) - is a list of postal codes.
"") is a serial number.
For more details, visit here.
"" ) - is the period during which the certificate is valid. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as
"20h45m". Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”.
"" ) - is a specifiable time before expiration duration.
nil ) - is a list of subject alt names.
nil ) - is a list of IP addresses.
nil ) - is a list of URI Subject Alternative Names.
nil ) - is a list of email Subject Alternative Names.
The following figure shows how
KubeVault is used to configure TLS/SSL in Postgres. Open the image in a new tab to see the enlarged version.
Deploying VaultServer with TLS/SSL configuration process consists of the following steps:
At first, a user creates an
Then the user creates a
KubeVault community operator watches for the
When it finds one, it creates
Service, etc. for the
KubeVault operator watches for
When it finds all the resources(
Service), it creates
Certificates by using
tls.certificates field specification from
cert-manager watches for certificates.
When it finds one, it creates certificate secrets
cert-secrets(server, client, exporter secrets, etc.) that hold the actual self-signed certificate.
KubeVault community operator watches for the Certificate secrets
When it finds all the tls-secret, it creates a
StatefulSet so that Postgres server is configured with TLS/SSL.
In the next doc, we are going to show a step by step guide on how to configure a
VaultServer with TLS/SSL.