New to KubeVault? Please start here.
Overview
Prerequisite : To configure TLS/SSL in VaultServer
, KubeVault
uses cert-manager
to issue certificates. So first you have to make sure that the cluster has cert-manager
installed. To install cert-manager
in your cluster following steps here.
To issue a certificate, the following cr of cert-manager
is used:
Issuer/ClusterIssuer
: Issuers and ClusterIssuers represent certificate authorities (CAs) that are able to generate signed certificates by honoring certificate signing requests. All cert-manager certificates require a referenced issuer that is in a ready condition to attempt to honor the request. You can learn more details here.Certificate
:cert-manager
has the concept of Certificates that define the desired x509 certificate which will be renewed and kept up to date. You can learn more details here.
VaultServer CRD Specification:
KubeValt uses the following cr fields to enable SSL/TLS encryption in VaultServer
.
spec:
tls:
issuerRef:
apiGroup: "cert-manager.io"
kind: Issuer
name: vault-issuer
certificates:
- alias: server
secretName: vautl-server-certs
subject:
organizations:
- kubevault
- alias: client
secretName: vault-client-certs
subject:
organizations:
- kubevault
The spec.tls
contains the following fields:
tls.issuerRef
- is anoptional
field that references to theIssuer
orClusterIssuer
custom resource object of cert-manager. It is used to generate the necessary certificate secrets for Elasticsearch. If theissuerRef
is not specified, the operator creates a self-signed CA and also creates necessary certificate (valid: 365 days) secrets using that CA.apiGroup
- is the group name of the resource that is being referenced. Currently, the only supported value iscert-manager.io
.kind
- is the type of resource that is being referenced. The supported values areIssuer
andClusterIssuer
.name
- is the name of the resource (Issuer
orClusterIssuer
) that is being referenced.
tls.certificates
- is anoptional
field that specifies a list of certificate configurations used to configure the certificates. It has the following fields:alias
- represents the identifier of the certificate. It has the following possible value:server
- is used for the server certificate configuration.client
- is used for the client certificate configuration.storage
- is used for the storage certificate configuration.ca
- is used for the ca certificate configuration.
secretName
- (string
|"<vault-name>-alias-certs"
) - specifies the k8s secret name that holds the certificates.subject
- specifies anX.509
distinguished name (DN). It has the following configurable fields:organizations
([]string
|nil
) - is a list of organization names.organizationalUnits
([]string
|nil
) - is a list of organization unit names.countries
([]string
|nil
) - is a list of country names (ie. Country Codes).localities
([]string
|nil
) - is a list of locality names.provinces
([]string
|nil
) - is a list of province names.streetAddresses
([]string
|nil
) - is a list of street addresses.postalCodes
([]string
|nil
) - is a list of postal codes.serialNumber
(string
|""
) is a serial number.
For more details, visit here.
duration
(string
|""
) - is the period during which the certificate is valid. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as"300m"
,"1.5h"
or"20h45m"
. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”.renewBefore
(string
|""
) - is a specifiable time before expiration duration.dnsNames
([]string
|nil
) - is a list of subject alt names.ipAddresses
([]string
|nil
) - is a list of IP addresses.uris
([]string
|nil
) - is a list of URI Subject Alternative Names.emailAddresses
([]string
|nil
) - is a list of email Subject Alternative Names.
How TLS/SSL configures in VaultServer
The following figure shows how KubeVault
is used to configure TLS/SSL in Postgres. Open the image in a new tab to see the enlarged version.
Deploying VaultServer with TLS/SSL configuration process consists of the following steps:
At first, a user creates an
Issuer/ClusterIssuer
cr.Then the user creates a
VaultServer
cr.KubeVault
community operator watches for theVaultServer
cr.When it finds one, it creates
Secret
,Service
, etc. for theVaultServer
.KubeVault
operator watches forVaultServer
(5c),Issuer/ClusterIssuer
(5b),Secret
andService
(5a).When it finds all the resources(
VaultServer
,Issuer/ClusterIssuer
,Secret
,Service
), it createsCertificates
by usingtls.issuerRef
andtls.certificates
field specification fromVaultServer
cr.cert-manager
watches for certificates.When it finds one, it creates certificate secrets
cert-secrets
(server, client, exporter secrets, etc.) that hold the actual self-signed certificate.KubeVault
community operator watches for the Certificate secretstls-secrets
.When it finds all the tls-secret, it creates a
StatefulSet
so that Postgres server is configured with TLS/SSL.
In the next doc, we are going to show a step by step guide on how to configure a VaultServer
with TLS/SSL.