Vault agent injector TLS configuration
Important Note: This chart is not compatible with Helm 2. Please use Helm 3.6+ with this chart.
The following instructions demonstrate how to manually configure the Vault Agent Injector with self-signed certificates.
Create a certificate authority (CA)
First, create a private key to be used by our custom Certificate Authority (CA):
Next, create a certificate authority certificate:
Important Note: Values such as days (how long the certificate is valid for) should be configured for your environment.
Create Vault agent injector certificate
Next we can create a certificate and key signed by the certificate authority generated above. This certificate and key will be used by the Vault Agent Injector for TLS communications with the Kubernetes API.
First, create a private key for the certificate:
Next, create a certificate signing request (CSR) to be used when signing the certificate:
After creating the CSR, create an extension file to configure additional parameters for signing the certificate.
Important Note: The alternative names for the certificate must be configured to use the name of the Vault Agent Injector Kubernetes service and namespace where its created.
In this example the Vault Agent Injector service name is vault-agent-injector-svc
in the vault
namespace.
This uses the pattern <k8s service name>.<k8s namespace>.svc.cluster.local
.
Finally, sign the certificate:
Important Note: Values such as days (how long the certificate is valid for) should be configured for your environment.
Configuration
Now that a certificate authority and a signed certificate have been created, we can now configure Helm and the Vault Agent Injector to use them.
First, create a Kubernetes secret containing the certificate and key created above:
Important Note: This example assumes the Vault Agent Injector is running in the vault
namespace.
Next, base64 encode the certificate authority so Kubernetes can verify the authenticity of the certificate:
Finally, install the Vault Agent Injector with the following custom values: