New to KubeVault? Please start here.
Configure TLS/SSL for VaultServer
KubeVault
provides support for TLS/SSL for VaultServer
. This tutorial will show you how to use KubeVault
to deploy a VaultServer
with TLS/SSL configuration.
Before You Begin
At first, you need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using kind.
Install
cert-manger
v1.4.0 or later to your cluster to manage your SSL/TLS certificates.Install
KubeVault
operator in your cluster following the steps here.To keep things isolated, this tutorial uses a separate namespace called
demo
throughout this tutorial.$ kubectl create ns demo namespace/demo created
Deploy VaultServer with TLS/SSL configuration
As pre-requisite, at first, we are going to create an Issuer/ClusterIssuer. This Issuer/ClusterIssuer is used to create certificates. Then we are going to deploy a VaultServer with TLS/SSL configuration.
Create Issuer/ClusterIssuer
Now, we are going to create an example Issuer
that will be used throughout the duration of this tutorial. Alternatively, you can follow this cert-manager tutorial to create your own Issuer
. By following the below steps, we are going to create our desired issuer,
- Start off by generating our ca-certificates using openssl,
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./ca.key -out ./ca.crt -subj "/CN=vault/O=kubevault"
- create a secret using the certificate files we have just generated,
$ kubectl create secret tls vault-ca --cert=ca.crt --key=ca.key --namespace=demo
secret/vault-ca created
Now, we are going to create an Issuer
using the vault-ca
secret that contains the ca-certificate we have just created. Below is the YAML of the Issuer
cr that we are going to create,
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: vault-issuer
namespace: demo
spec:
ca:
secretName: vault-ca
Let’s create the Issuer
cr we have shown above,
$ kubectl apply -f issuer.yaml
issuer.cert-manager.io/vault-issuer created
Deploy VaultServer with TLS/SSL configuration
Here, our issuer vault-issuer
is ready to deploy a VaultServer
Cluster with TLS/SSL configuration. Below is the YAML for VaultServer that we are going to create,
apiVersion: kubevault.com/v1alpha2
kind: VaultServer
metadata:
name: vault
namespace: demo
spec:
tls:
issuerRef:
apiGroup: "cert-manager.io"
kind: Issuer
name: vault-issuer
allowedSecretEngines:
namespaces:
from: All
secretEngines:
- mysql
version: 1.10.3
replicas: 3
backend:
raft:
storage:
storageClassName: "standard"
resources:
requests:
storage: 1Gi
unsealer:
secretShares: 5
secretThreshold: 3
mode:
kubernetesSecret:
secretName: vault-keys
monitor:
agent: prometheus.io
prometheus:
exporter:
resources: {}
terminationPolicy: DoNotTerminate
Here,
spec.tls.issuerRef
refers to thevault-issuer
issuer.