Steevo Wiki

You are here: Home » vault

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision 		Previous revision
vault [2023/08/09 10:33]
admin created 		vault [2024/01/26 17:33] (current)
Line 1: Line 1:
 +====== Vault ======
 +
 +
 +===== Configure TLS =====
 +
 +Create a TLS secret used by Vault and Traefik to communicate with vault service
 +
 +<code>
 +export CERT_DIR=cert
 +export SECRET_NAME=vault-server-tls
 +</code>
 +
 +==== Generate certificate via Kubernetes CertificateSigningRequest ====
 +
 +Generate key:
 +<code>
 +openssl genrsa -out ${CERT_DIR}/vault.key 4096
 +</code>
 +
 +Generate server.csr:
 +<code>
 +openssl req -config ${CERT_DIR}/csr.conf -new -key ${CERT_DIR}/vault.key -subj "/CN=vault.vault.svc" -out ${CERT_DIR}/server.csr
 +</code>
 +
 +Generate CertificateSigningRequest
 +Create ${CERT_DIR}/csr.yaml
 +<code | download>
 +apiVersion: certificates.k8s.io/v1
 +kind: CertificateSigningRequest
 +metadata:
 +  name: vault-csr
 +spec:
 +  groups:
 +  - system:authenticated
 +  request: $(cat ${CERT_DIR}/server.csr | base64 | tr -d '\n')
 +  signerName: beta.eks.amazonaws.com/app-serving
 +  usages:
 +  - digital signature
 +  - key encipherment
 +  - server auth
 +</code>
 +
 +Apply CertificateSigningRequest & approve:
 +<code>
 +kubectl create -f ${CERT_DIR}/csr.yaml
 +# Approve the Self-Signed Certificate by K8S CA
 +kubectl certificate approve vault-csr
 +# Write public certificate to file
 +kubectl get csr vault-csr -o jsonpath='{.status.certificate}' | openssl base64 -d -A -out ${CERT_DIR}/vault.crt
 +</code>
 +
 +Retrieve Kubernetes CA certificate
 +<code>
 +kubectl config view \
 +--raw \
 +--minify \
 +--flatten \
 +-o jsonpath='{.clusters[].cluster.certificate-authority-data}' \
 +| base64 -d > ${CERT_DIR}/vault.ca
 +</code>
 +
 +==== Create Kubernetes secret containing TLS certificate & CA ====
 +
 +<code>
 +kubectl create secret generic ${SECRET_NAME} \
 +--namespace vault \
 +--from-file=vault.key=${CERT_DIR}/vault.key \
 +--from-file=vault.crt=${CERT_DIR}/vault.crt \
 +--from-file=ca.crt=${CERT_DIR}/vault.ca
 +</code>
 +
 +==== Update Vault Helm values ====
 +
 +
 +<code>
 +vault:
 +  server:
 +    extraEnvironmentVars:
 +      VAULT_CACERT: /vault/userconfig/vault-server-tls/ca.crt
 +    extraVolumes:
 +      - type: secret
 +        name: vault-server-tls
 +        
 +    ha:
 +      raft:
 +        config: |
 +          ui = true
 +
 +          listener "tcp" {
 +            address = "[::]:8200"
 +            cluster_address = "[::]:8201"
 +            tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
 +            tls_key_file = "/vault/userconfig/vault-server-tls/vault.key"
 +            tls_client_ca_file = "/vault/userconfig/vault-server-tls/ca.crt"
 +          }
 +          
 +          storage "raft" {
 +            path = "/vault/data"
 +              retry_join {
 +              leader_tls_servername = "*.vault-internal"
 +              leader_api_addr = "https://vault-0.vault-internal:8200"
 +              leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
 +              leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key"
 +              leader_ca_cert_file = "/vault/userconfig/vault-server-tls/ca.crt"
 +            }
 +          
 +            retry_join {
 +              leader_tls_servername = "*.vault-internal"
 +              leader_api_addr = "https://vault-1.vault-internal:8200"
 +              leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
 +              leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key"
 +              leader_ca_cert_file = "/vault/userconfig/vault-server-tls/ca.crt"
 +            }    
 +          }
 +</code>
 +
 ===== Setup Vault backup kubernetes cronjob ===== ===== Setup Vault backup kubernetes cronjob =====