Skip to content

Commit

Permalink
backport of commit 2a69947 (#16045)
Browse files Browse the repository at this point in the history
Co-authored-by: Christopher Swenson <[email protected]>
  • Loading branch information
1 parent 46e0ecc commit 76b1768
Showing 1 changed file with 56 additions and 36 deletions.
92 changes: 56 additions & 36 deletions website/content/docs/platform/k8s/helm/examples/standalone-tls.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -18,35 +18,42 @@ This example can be used to set up a single server Vault cluster using TLS.

## 1. Create key & certificate using Kubernetes CA

There are three variables that will be used in this example.
There are four variables that will be used in this example.

```bash
# SERVICE is the name of the Vault service in Kubernetes.
# It does not have to match the actual running service, though it may help for consistency.
SERVICE=vault-server-tls
export SERVICE=vault-server-tls

# NAMESPACE where the Vault service is running.
NAMESPACE=vault-namespace
export NAMESPACE=vault-namespace

# SECRET_NAME to create in the Kubernetes secrets store.
SECRET_NAME=vault-server-tls
export SECRET_NAME=vault-server-tls

# TMPDIR is a temporary working directory.
TMPDIR=/tmp
export TMPDIR=/tmp

# CSR_NAME will be the name of our certificate signing request as seen by Kubernetes.
export CSR_NAME=vault-csr
```

1. Create a key for Kubernetes to sign.

```bash
openssl genrsa -out ${TMPDIR}/vault.key 2048
```shell-session
$ openssl genrsa -out ${TMPDIR}/vault.key 2048
Generating RSA private key, 2048 bit long modulus
...................................................................................................+++
...............+++
e is 65537 (0x10001)
```

2. Create a Certificate Signing Request (CSR).

1. Create a file `${TMPDIR}/csr.conf` with the following contents:

```
$ cat <<EOF >${TMPDIR}/csr.conf
```bash
cat <<EOF >${TMPDIR}/csr.conf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
Expand All @@ -67,86 +74,99 @@ TMPDIR=/tmp
2. Create a CSR.
```bash
openssl req -new -key ${TMPDIR}/vault.key -subj "/CN=${SERVICE}.${NAMESPACE}.svc" -out ${TMPDIR}/server.csr -config ${TMPDIR}/csr.conf
```shell-session
$ openssl req -new -key ${TMPDIR}/vault.key \
-subj "/O=system:nodes/CN=system:node:${SERVICE}.${NAMESPACE}.svc" \
-out ${TMPDIR}/server.csr \
-config ${TMPDIR}/csr.conf
```
3. Create the certificate
1. Create a file `${TMPDIR}/csr.yaml` with the following contents:
```
$ export CSR_NAME=vault-csr
$ cat <<EOF >${TMPDIR}/csr.yaml
apiVersion: certificates.k8s.io/v1beta1
```bash
cat <<EOF >${TMPDIR}/csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: ${CSR_NAME}
spec:
groups:
- system:authenticated
request: $(cat ${TMPDIR}/server.csr | base64 | tr -d '\n')
request: $(cat ${TMPDIR}/server.csr | base64 | tr -d '\r\n')
signerName: kubernetes.io/kubelet-serving
usages:
- digital signature
- key encipherment
- server auth
EOF
```
-> `CSR_NAME` can be any name you want. It's the name of the CSR as seen by Kubernetes
2. Send the CSR to Kubernetes.
```bash
kubectl create -f ${TMPDIR}/csr.yaml
```shell-session
$ kubectl create -f ${TMPDIR}/csr.yaml
certificatesigningrequest.certificates.k8s.io/vault-csr created
```
-> If this process is automated, you may need to wait to ensure the CSR has been received and stored:
`kubectl get csr ${CSR_NAME}`
3. Approve the CSR in Kubernetes.
```bash
kubectl certificate approve ${CSR_NAME}
```shell-session
$ kubectl certificate approve ${CSR_NAME}
certificatesigningrequest.certificates.k8s.io/vault-csr approved
```
4. Verify that the certificate was approved and issued.
```shell-session
$ kubectl get csr ${CSR_NAME}
NAME AGE SIGNERNAME REQUESTOR CONDITION
vault-csr 1m13s kubernetes.io/kubelet-serving kubernetes-admin Approved,Issued
```
## 2. Store key, cert, and Kubernetes CA into Kubernetes secrets store
1. Retrieve the certificate.
```bash
serverCert=$(kubectl get csr ${CSR_NAME} -o jsonpath='{.status.certificate}')
```shell-session
$ serverCert=$(kubectl get csr ${CSR_NAME} -o jsonpath='{.status.certificate}')
```
-> If this process is automated, you may need to wait to ensure the certificate has been created.
If it hasn't, this will return an empty string.
2. Write the certificate out to a file.
```bash
echo "${serverCert}" | openssl base64 -d -A -out ${TMPDIR}/vault.crt
```shell-session
$ echo "${serverCert}" | openssl base64 -d -A -out ${TMPDIR}/vault.crt
```
3. Retrieve Kubernetes CA.
```bash
kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}' | base64 -d > ${TMPDIR}/vault.ca
```shell-session
$ kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}' | base64 -d > ${TMPDIR}/vault.ca
```
4. Create the namespace.
```bash
kubectl create namespace ${NAMESPACE}
```shell-session
$ kubectl create namespace ${NAMESPACE}
namespace/vault-namespace created
```
5. Store the key, cert, and Kubernetes CA into Kubernetes secrets.
```bash
kubectl create secret generic ${SECRET_NAME} \
--namespace ${NAMESPACE} \
--from-file=vault.key=${TMPDIR}/vault.key \
--from-file=vault.crt=${TMPDIR}/vault.crt \
--from-file=vault.ca=${TMPDIR}/vault.ca
```shell-session
$ kubectl create secret generic ${SECRET_NAME} \
--namespace ${NAMESPACE} \
--from-file=vault.key=${TMPDIR}/vault.key \
--from-file=vault.crt=${TMPDIR}/vault.crt \
--from-file=vault.ca=${TMPDIR}/vault.ca
# secret/vault-server-tls created
```
## 3. Helm Configuration
Expand Down

0 comments on commit 76b1768

Please sign in to comment.