Wiki

* Scroll me *
PREFACE
About Wiki
GOLANG
Snippets
Pitfalls
Development
Production
SHELL
Shell Script
NETWORKING
Networking
KUBERNETES
Commands
Patterns
Potholes
ISTIO
Istio
VAULT
Vault
INFRA AS CODE
Terraform
Pulumi

Vault

Table of Contents

Vault Agent Sidecar to Request Certificates

The vault agent sidecar can be used to not only read secrets from Vault but also to request certificates from Vault.

The following example assumes the vault PKI amount is at /pki.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: envoy-ingress
  labels:
    app: enovy-ingress
spec:
  selector:
    matchLabels:
      app: envoy-ingress
  template:
    metadata:
      labels:
        app: envoy-ingress
      annotations:
        vault.hashicorp.com/agent-inject-secret-hushhush.crt: "pki/issue/hushhush_role"
        vault.hashicorp.com/agent-inject-template-hushhush.crt: |
          {{- with secret "pki/issue/hushhush_role" "common_name=hushhush.acme.com" -}}
          {{ .Data.certificate }}
          {{ index .Data.ca_chain 0 }}
          {{ index .Data.ca_chain 1 }}
          {{- end }}
        vault.hashicorp.com/agent-inject-secret-hushhush.key: "pki/issue/hushhush_role"
        vault.hashicorp.com/agent-inject-template-hushhush.key: |
          {{- with secret "pki/issue/hushhush_role" "common_name=hushhush.acme.com" -}}
          {{ .Data.private_key }}
          {{- end }}
        # The certificate and the key will be located in
        # /vault/secrets/hushhush.{crt,key} respectively.
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "my_kube_auth_backend_role"
        vault.hashicorp.com/agent-pre-populate: "true"
        vault.hashicorp.com/service: "https://vault.internal.acme.com:8200"
        vault.hashicorp.com/ca-cert: "/vault/tls/ca.crt"
        vault.hashicorp.com/tls-secret: "acmecorp-root-ca-cert"
        vault.hashicorp.com/tls-server-name: "vault.internal.acme.com.com"
    spec:
      containers:
        - name: envoy
          image: envoyproxy/envoy:v1.22
          imagePullPolicy: IfNotPresent
          volumeMounts:
            - name: config-volume
              mountPath: /etc/envoy
              readOnly: true
            - name: acmecorp-root-ca-cert-volume
              mountPath: /etc/acmecorp-root-ca
              readOnly: true
      volumes:
        - name: config-volume
          configMap:
            name: envoy-config
        - name: acmecorp-root-ca-cert-volume
          secret:
            secretName: acmecorp-root-ca-cert
# The CA cert is technically not a secret, but vault-agent init container
# can only reference a Secret object.
---
apiVersion: v1
kind: Secret
metadata:
  name: acmecorp-root-ca-cert
  namespace: envoy-ingress
type: Opaque
stringData:
  ca.crt: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----