Bank-Vaults tries to automate as much as possible for handling TLS certificates.

  • The vault-operator automates the creation and renewal of TLS certificates for Vault.
  • The vault Helm Chart automates the creation only of TLS certificates for Vault via Sprig.

The operator and the chart as well generates one Kubernetes Secret holding the TLS certificates, this is named ${VAULT_CR_NAME}-tls (in vault-tls in most examples in this repo):

The Secret data keys are:

  • ca.crt
  • server.crt
  • server.key

The operator doesn’t overwrite this Secret holding the certificate if it already exists, so you can provide this certificate in any other way, for example using cert-manager or simply placing it there manually.

Operator custom TLS settings 🔗︎

Some attributes can influence the TLS settings in the operator:

    // ExistingTLSSecretName is name of the secret that contains a TLS server certificate and key and the corresponding CA certificate.
    // Required secret format kubernetes.io/tls type secret keys + ca.crt key
    // If it is set, generating certificate will be disabled
    // default: ""
    ExistingTLSSecretName string `json:"existingTlsSecretName,omitempty"`

    // TLSExpiryThreshold is the Vault TLS certificate expiration threshold in Go's Duration format.
    // default: 168h
    TLSExpiryThreshold string `json:"tlsExpiryThreshold,omitempty"`

    // TLSAdditionalHosts is a list of additional hostnames or IP addresses to add to the SAN on the automatically generated TLS certificate.
    // default:
    TLSAdditionalHosts []string `json:"tlsAdditionalHosts,omitempty"`

    // CANamespaces define a list of namespaces where the generated CA certificate for Vault should be distributed,
    // use ["*"] for all namespaces.
    // default:
    CANamespaces []string `json:"caNamespaces,omitempty"`

The ca.crt key is mandatory in existingTlsSecretName otherwise the Bank-Vaults components can’t verify the Vault server certificate.

Using the generated custom TLS certificate with vault-operator: 🔗︎

Using existing secret, which contains the TLS certificate, define existingTlsSecretName in the Vault custom resource.

Generating custom certificates with CFSSL for Bank-Vaults 🔗︎

If you don’t wish to use the Helm or Operator generated certificates the easiest way to create a custom certificate for Bank-Vaults is CFSSL. This directory holds a set of custom CFSSL configurations which are prepared for the Helm release name vault in the default namespace. Of course, you can put any other certificates into the Secret below, this is just an example:

  1. Create a CA first:

    cfssl genkey -initca csr.json | cfssljson -bare ca
    
  2. Create a server certificate:

    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=config.json -profile=server server.json | cfssljson -bare server
    
  3. Put these certificates (and the server key) into a Kubernetes Secret:

    kubectl create secret generic vault-tls --from-file=ca.crt=ca.pem --from-file=server.crt=server.pem --from-file=server.key=server-key.pem
    
  4. Install the Vault instance:

    • With the chart which uses this certificate:
    helm upgrade --install vault ../charts/vault --set tls.secretName=vault-tls
    
    • With the operator:
    kubectl apply -f vault-cr.yaml
    

Generating custom certificates with cert-manager for Bank-Vaults 🔗︎

Example custom resource used by the cert-manager to generate the certificate for Bank-Vaults

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: test-selfsigned
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: selfsigned-cert
spec:
  commonName: vault
  usages:
    - server auth
  dnsNames:
    - vault
    - vault.default
    - vault.default.svc
    - vault.default.svc.cluster.local
  ipAddresses:
    - 127.0.0.1
  secretName: selfsigned-cert-tls
  issuerRef:
    name: test-selfsigned
EOF