New to KubeVault? Please start here.
Reconfiguring TLS of VaultServer
This guide will give an overview on how KubeVault Enterprise operator reconfigures TLS configuration i.e. add TLS, remove TLS, update issuer/cluster issuer or Certificates and rotate the certificates of a VaultServer
.
Before You Begin
- You should be familiar with the following
KubeVault
concepts:
How Reconfiguring VaultServer TLS Configuration Process Works
The Reconfiguring VaultServer TLS process consists of the following steps:
At first, a user creates a
VaultServer
Custom Resource Object (CRO).KubeVault
operator watches theVaultServer
CRO.When the operator finds a
VaultServer
CR, it creates required number ofStatefulSets
and related necessary stuff like secrets, services, etc.Then, in order to reconfigure the TLS configuration of the
VaultServer
the user creates aVaultOpsRequest
CR with desired information.KubeVault
operator watches theVaultOpsRequest
CR.When it finds a
VaultOpsRequest
CR, it pauses theVaultServer
object which is referred from theVaultOpsRequest
. So, theKubeVault
operator doesn’t perform any operations on theVaultServer
object during the reconfiguring TLS process.Then the
KubeVault
operator will add, remove, update or rotate TLS configuration based on the Ops Request yaml.Then the
KubeVault
operator will restart all the Pods of the database so that they restart with the new TLS configuration defined in theVaultOpsRequest
CR.After the successful reconfiguring of the
VaultServer
TLS, theKubeVault
operator resumes theVaultServer
object so that theKubeVault
Community operator resumes its usual operations.
In the next docs, we are going to show a step by step guide on reconfiguring TLS configuration of a VaultServer using VaultOpsRequest
CRD.