Vault
Standalone Server with TLS
Important Note: This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
This example can be used to set up a single server Vault cluster using TLS.
- Create key & certificate using Kubernetes CA
- Store key & cert into Kubernetes secrets store
- Configure helm chart to use Kubernetes secret from step 2
1. Create key & certificate using Kubernetes CA
There are three variables that will be used in this example.
# SERVICE is the name of the Vault service in Kubernetes.
# It does not have to match the actual running service, though it may help for consistency.
SERVICE=vault-server-tls
# NAMESPACE where the Vault service is running.
NAMESPACE=vault-namespace
# SECRET_NAME to create in the Kubernetes secrets store.
SECRET_NAME=vault-server-tls
# TMPDIR is a temporary working directory.
TMPDIR=/tmp
Create a key for Kubernetes to sign.
openssl genrsa -out ${TMPDIR}/vault.key 2048Create a Certificate Signing Request (CSR).
Create a file
${TMPDIR}/csr.confwith the following contents:$ cat <<EOF >${TMPDIR}/csr.conf [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = ${SERVICE} DNS.2 = ${SERVICE}.${NAMESPACE} DNS.3 = ${SERVICE}.${NAMESPACE}.svc DNS.4 = ${SERVICE}.${NAMESPACE}.svc.cluster.local IP.1 = 127.0.0.1 EOFCreate a CSR.
openssl req -new -key ${TMPDIR}/vault.key -subj "/CN=${SERVICE}.${NAMESPACE}.svc" -out ${TMPDIR}/server.csr -config ${TMPDIR}/csr.conf
Create the certificate
Create a file
${TMPDIR}/csr.yamlwith the following contents:$ export CSR_NAME=vault-csr $ cat <<EOF >${TMPDIR}/csr.yaml apiVersion: certificates.k8s.io/v1beta1 kind: CertificateSigningRequest metadata: name: ${CSR_NAME} spec: groups: - system:authenticated request: $(cat ${TMPDIR}/server.csr | base64 | tr -d '\n') usages: - digital signature - key encipherment - server auth EOFCSR_NAMEcan be any name you want. It's the name of the CSR as seen by KubernetesSend the CSR to Kubernetes.
kubectl create -f ${TMPDIR}/csr.yamlIf this process is automated, you may need to wait to ensure the CSR has been received and stored:
kubectl get csr ${CSR_NAME}Approve the CSR in Kubernetes.
kubectl certificate approve ${CSR_NAME}
2. Store key, cert, and Kubernetes CA into Kubernetes secrets store
Retrieve the certificate.
serverCert=$(kubectl get csr ${CSR_NAME} -o jsonpath='{.status.certificate}')If this process is automated, you may need to wait to ensure the certificate has been created. If it hasn't, this will return an empty string.
Write the certificate out to a file.
echo "${serverCert}" | openssl base64 -d -A -out ${TMPDIR}/vault.crtRetrieve Kubernetes CA.
kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}' | base64 -D > ${TMPDIR}/vault.caStore the key, cert, and Kubernetes CA into Kubernetes secrets.
kubectl create secret generic ${SECRET_NAME} \ --namespace ${NAMESPACE} \ --from-file=vault.key=${TMPDIR}/vault.key \ --from-file=vault.crt=${TMPDIR}/vault.crt \ --from-file=vault.ca=${TMPDIR}/vault.ca
3. Helm Configuration
The below custom-values.yaml can be used to set up a single server Vault cluster using TLS.
This assumes that a Kubernetes secret exists with the server certificate, key and
certificate authority:
global:
enabled: true
tlsDisable: false
extraEnvironmentVars:
VAULT_CACERT: /vault/userconfig/vault-server-tls/vault.ca
server:
image:
repository: 'vault'
tag: '1.3.1'
extraVolumes:
- type: secret
name: vault-server-tls # Matches the ${SECRET_NAME} from above
standalone:
enabled: true
config: |
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
tls_key_file = "/vault/userconfig/vault-server-tls/vault.key"
tls_client_ca_file = "/vault/userconfig/vault-server-tls/vault.ca"
}
storage "file" {
path = "/vault/data"
}