• Overview
    • Automated PKI Infrastructure
    • Data Encryption & Tokenization
    • Database Credential Rotation
    • Dynamic Secrets
    • Identity-based Access
    • Key Management
    • Kubernetes Secrets
    • Secrets Management
  • Enterprise
  • Tutorials
  • Docs
  • API
  • Community
GitHubTry Cloud
Download
    • v1.11.x (latest)
    • v1.10.x
    • v1.9.x
    • v1.8.x
    • v1.7.x
    • v1.6.x
    • v1.5.x
    • v1.4.x
  • What is Vault?
  • Use Cases
    • CLI Quick Start
    • HCP Quick Start
    • Developer Quick Start

  • Browser Support
  • Installing Vault
    • Overview
    • Architecture
    • High Availability
    • Integrated Storage
    • Security Model
    • Telemetry
    • Token Authentication
    • Key Rotation
    • Replication
    • Limits and Maximums
    • Overview
    • 'Dev' Server
    • Seal/Unseal
    • Namespace API Lock
    • Lease, Renew, and Revoke
    • Authentication
    • Tokens
    • Identity
    • OIDC Provider
    • Response Wrapping
    • Policies
    • Password Policies
    • Username Templating
    • High Availability
    • Storage
      • Overview
      • Autopilot
    • PGP, GnuPG, and Keybase
    • Recovery Mode
    • Resource Quotas
      • Overview
      • FAQ
    • Transform
    • Mount Migration
    • Overview
      • Overview
      • TCP
    • replication
      • Overview
      • AliCloud KMS
      • AWS KMS
      • Azure Key Vault
      • GCP Cloud KMS
      • OCI KMS
      • HSM PKCS11 ENT
      • Vault Transit
    • sentinel
      • Overview
      • Consul
      • Kubernetes
      • Overview
      • Aerospike
      • Alicloud OSS
      • Azure
      • Cassandra
      • CockroachDB
      • Consul
      • CouchDB
      • DynamoDB
      • Etcd
      • Filesystem
      • FoundationDB
      • Google Cloud Spanner
      • Google Cloud Storage
      • In-Memory
      • Manta
      • MSSQL
      • MySQL
      • OCI Object Storage
      • PostgreSQL
      • Integrated Storage (Raft)
      • S3
      • Swift
      • Zookeeper
    • telemetry
    • ui
    • Log Completed Requests
    • Entropy Augmentation ENT
    • kms_library ENT
    • Overview
    • agent
      • Overview
      • disable
      • enable
      • list
      • Overview
      • disable
      • enable
      • help
      • list
      • move
      • tune
    • debug
    • delete
      • Overview
      • delete
      • destroy
      • enable-versioning
      • get
      • list
      • metadata
      • patch
      • put
      • rollback
      • undelete
      • Overview
      • lookup
      • renew
      • revoke
      • Overview
      • get
      • inspect
    • list
    • login
    • monitor
    • namespace
      • Overview
      • diagnose
      • generate-root
      • init
      • key-status
      • members
      • migrate
      • raft
      • rekey
      • rotate
      • seal
      • step-down
      • unseal
      • usage
    • path-help
      • Overview
      • deregister
      • info
      • list
      • register
      • reload
      • Overview
      • delete
      • fmt
      • list
      • read
      • write
    • read
      • Overview
      • disable
      • enable
      • list
      • move
      • tune
    • server
    • ssh
    • status
      • Overview
      • capabilities
      • create
      • lookup
      • renew
      • revoke
    • unwrap
    • version
    • version-history
    • write
    • Token Helpers
    • Overview
      • Overview
        • Overview
        • AliCloud
        • AppRole
        • AWS
        • Azure
        • Cert
        • CF
        • GCP
        • JWT
        • Kerberos
        • Kubernetes
        • Overview
        • File
      • Overview
        • Overview
        • Kubernetes
    • Templates
    • Windows service

    • Overview
    • Active Directory
    • AliCloud
    • AWS
    • Azure
    • Consul
    • Cubbyhole
      • Overview
      • Cassandra
      • Couchbase
      • Elasticsearch
      • HanaDB
      • IBM Db2
      • InfluxDB
      • MongoDB
      • MongoDB Atlas
      • MSSQL
      • MySQL/MariaDB
      • Oracle
      • PostgreSQL
      • Redshift
      • Snowflake
      • Custom
    • Google Cloud
    • Google Cloud KMS
      • Overview
      • Identity Tokens
      • OIDC Identity Provider
      • Overview
      • Azure Key Vault
      • AWS KMS
      • GCP Cloud KMS
      • Overview
      • K/V Version 1
      • K/V Version 2
    • KMIP ENTERPRISE
    • Kubernetes
    • MongoDB Atlas
    • Nomad
    • OpenLDAP
      • Overview
      • Setup and Usage
      • Quick Start - Root CA Setup
      • Quick Start - Intermediate CA Setup
      • Considerations
      • Rotation Primitives
    • RabbitMQ
      • Overview
      • Signed Certificates
      • SSH OTP
      • Dynamic Key
    • Terraform Cloud
    • TOTP
      • Overview
      • FF3-1 Tweak Usage
      • Tokenization Transform ENTERPRISE
    • Transit
    • Venafi (Certificates)
    • Overview
    • AppRole
    • AliCloud
    • AWS
    • Azure
    • Cloud Foundry
    • GitHub
    • Google Cloud
      • Overview
      • OIDC Providers
    • Kerberos
    • Kubernetes
    • LDAP
      • Overview
      • FAQ
    • Oracle Cloud Infrastructure
    • Okta
    • RADIUS
    • TLS Certificates
    • Tokens
    • Username & Password

    • App ID DEPRECATED
    • Overview
    • File
    • Syslog
    • Socket
    • Overview
    • Plugin Architecture
    • Plugin Development
    • Plugin Management
    • Plugin Portal
  • Vault Integration Program
  • Troubleshoot

    • Overview
      • Overview
      • Agent Injector vs. Vault CSI Provider
        • Overview
        • Running Vault
        • Enterprise Licensing
        • Running Vault on OpenShift
        • Configuration
          • Overview
          • Development
          • Standalone with Load Balanced UI
          • Standalone with TLS
          • Standalone with Audit Storage
          • External Vault
          • Using Kubernetes Auth Method
          • HA Cluster with Consul
          • HA Cluster with Raft
          • HA Enterprise Cluster with Raft
          • HA Enterprise DR Clusters with Raft
          • HA Enterprise Performance Clusters with Raft
          • Vault Agent Injector TLS Configuration
          • Vault Agent Injector TLS with Cert-Manager
        • Overview
        • Annotations
        • Installation
        • Examples
        • Overview
        • Installation
        • Configurations
        • Examples
      • Overview
      • Vault Lambda Extension
      • Running Vault
      • Overview
      • Installation
      • Configuration
      • Troubleshooting
      • Overview
      • Installation
      • Configuration
      • Upgrading
      • Troubleshooting

    • Overview
    • Upgrade Plugins
    • Upgrade to 1.11.x
    • Upgrade to 1.10.x
    • Upgrade to 1.9.x
    • Upgrade to 1.8.x
    • Upgrade to 1.7.x
    • Upgrade to 1.6.3
    • Upgrade to 1.6.2
    • Upgrade to 1.6.1
    • Upgrade to 1.6.0
    • Upgrade to 1.5.3
    • Upgrade to 1.5.2
    • Upgrade to 1.5.1
    • Upgrade to 1.5.0
    • Upgrade to 1.4.6
    • Upgrade to 1.4.5
    • Upgrade to 1.4.4
    • Upgrade to 1.4.1
    • Upgrade to 1.4.0
    • Upgrade to 1.3.10
    • Upgrade to 1.3.9
    • Upgrade to 1.3.8
    • Upgrade to 1.3.5
    • Upgrade to 1.3.4
    • Upgrade to 1.3.3
    • Upgrade to 1.3.2
    • Upgrade to 1.3.0
    • Upgrade to 1.2.7
    • Upgrade to 1.2.6
    • Upgrade to 1.2.5
    • Upgrade to 1.2.4
    • Upgrade to 1.2.1
    • Upgrade to 1.2.0
    • Upgrade to 1.1.2
    • Upgrade to 1.1.1
    • Upgrade to 1.1.0
    • Upgrade to 1.0.0
    • Upgrade to 0.11.6
    • Upgrade to 0.11.2
    • Upgrade to 0.11.0
    • Upgrade to 0.10.4
    • Upgrade to 0.10.2
    • Upgrade to 0.10.0
    • Upgrade to 0.9.6
    • Upgrade to 0.9.3
    • Upgrade to 0.9.2
    • Upgrade to 0.9.1
    • Upgrade to 0.9.0
    • Upgrade to 0.8.0
    • Upgrade to 0.7.0
    • Upgrade to 0.6.4
    • Upgrade to 0.6.3
    • Upgrade to 0.6.2
    • Upgrade to 0.6.1
    • Upgrade to 0.6.0
    • Upgrade to 0.5.1
    • Upgrade to 0.5.0

    • Overview
    • 1.11.0
    • 1.10.0
    • 1.9.0
    • 1.8.0
    • 1.7.0
    • 1.6.0
    • 1.5.0

    • Overview
    • FAQ

    • Overview
    • Feature Deprecation Notice and Plans
    • License
    • Client Count
    • Login MFA
    • Server Side Consistent Token

  • Glossary

    • Overview
      • Overview
      • Autoloading
      • FAQ
    • Replication
      • Overview
      • Behavioral Changes
      • Security
    • Automated Integrated Storage Snapshots
    • Automated Upgrades
    • Redundancy Zones
    • Lease Count Quotas
    • Entropy Augmentation
      • Overview
      • FIPS 140-2 Inside Vault
      • Seal Wrap for FIPS 140-2
    • Seal Wrap
    • Namespaces
    • Performance Standbys
    • Eventual Consistency
    • Control Groups
    • Managed Keys
      • Overview
      • Duo MFA
      • Okta MFA
      • PingID MFA
      • TOTP MFA
      • Overview
      • Examples
      • Properties
    • HCP Vault

The Vault website is being redesigned to help you find what you are looking for more effectively.

Type '/' to Search

»Vault Agent Injector TLS with Cert-Manager

The following instructions demonstrate how to configure the Vault Agent Injector to use certificates generated by cert-manager. This allows you to run multiple replicas of the Vault Agent Injector in a Kubernetes cluster.

»Prerequisites

Install cert-manager if not already installed (see the cert-manager documentation). For example, with helm:

$ helm repo add jetstack https://charts.jetstack.io
$ helm repo update
$ helm install cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --set installCRDs=true
$ helm repo add jetstack https://charts.jetstack.io
$ helm repo update
$ helm install cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --set installCRDs=true

»Create a Certificate Authority (CA)

For this example we will bootstrap a self-signed certificate authority (CA) Issuer. If you already have a ClusterIssuer configured for your cluster, you may skip this step.

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: injector-selfsigned-ca
spec:
  isCA: true
  commonName: Agent Inject CA
  secretName: injector-ca-secret
  duration: 87660h  # 10 years
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: selfsigned
    kind: Issuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: injector-ca-issuer
spec:
  ca:
    secretName: injector-ca-secret
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: injector-selfsigned-ca
spec:
  isCA: true
  commonName: Agent Inject CA
  secretName: injector-ca-secret
  duration: 87660h  # 10 years
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: selfsigned
    kind: Issuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: injector-ca-issuer
spec:
  ca:
    secretName: injector-ca-secret

Save that to a file named ca-issuer.yaml, and apply to your Kubernetes cluster:

$ kubectl apply -n vault -f ca-issuer.yaml
issuer.cert-manager.io/selfsigned created
certificate.cert-manager.io/injector-selfsigned-ca created
issuer.cert-manager.io/injector-ca-issuer created

$ kubectl -n vault get issuers -o wide
NAME                 READY   STATUS                AGE
injector-ca-issuer   True    Signing CA verified   7s
selfsigned           True                          7s

$ kubectl -n vault get certificates injector-selfsigned-ca -o wide
NAME                     READY   SECRET               ISSUER       STATUS                                          AGE
injector-selfsigned-ca   True    injector-ca-secret   selfsigned   Certificate is up to date and has not expired   32s
$ kubectl apply -n vault -f ca-issuer.yaml
issuer.cert-manager.io/selfsigned created
certificate.cert-manager.io/injector-selfsigned-ca created
issuer.cert-manager.io/injector-ca-issuer created

$ kubectl -n vault get issuers -o wide
NAME                 READY   STATUS                AGE
injector-ca-issuer   True    Signing CA verified   7s
selfsigned           True                          7s

$ kubectl -n vault get certificates injector-selfsigned-ca -o wide
NAME                     READY   SECRET               ISSUER       STATUS                                          AGE
injector-selfsigned-ca   True    injector-ca-secret   selfsigned   Certificate is up to date and has not expired   32s

»Create the Vault Agent Injector Certificate

Next we can create a request for cert-manager to generate a certificate and key signed by the certificate authority above. This certificate and key will be used by the Vault Agent Injector for TLS communications with the Kubernetes API.

The Certificate request object references the CA issuer created above, and specifies the name of the Secret where the CA, Certificate, and Key will be stored by cert-manager.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: injector-certificate
spec:
  secretName: injector-tls
  duration: 24h
  renewBefore: 144m  # roughly 10% of 24h
  dnsNames:
  - vault-agent-injector-svc
  - vault-agent-injector-svc.vault
  - vault-agent-injector-svc.vault.svc
  issuerRef:
    name: injector-ca-issuer
  commonName: Agent Inject Cert
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: injector-certificate
spec:
  secretName: injector-tls
  duration: 24h
  renewBefore: 144m  # roughly 10% of 24h
  dnsNames:
  - vault-agent-injector-svc
  - vault-agent-injector-svc.vault
  - vault-agent-injector-svc.vault.svc
  issuerRef:
    name: injector-ca-issuer
  commonName: Agent Inject Cert

Important Note: The dnsNames for the certificate must be configured to use the name of the Vault Agent Injector Kubernetes service and namespace where it is deployed.

In this example the Vault Agent Injector service name is vault-agent-injector-svc in the vault namespace. This uses the pattern <k8s service name>.<k8s namespace>.svc.

Save the Certificate yaml to a file and apply to your cluster:

$ kubectl -n vault apply -f injector-certificate.yaml
certificate.cert-manager.io/injector-certificate created

$ kubectl -n vault get certificates injector-certificate -o wide
NAME                   READY   SECRET         ISSUER               STATUS                                          AGE
injector-certificate   True    injector-tls   injector-ca-issuer   Certificate is up to date and has not expired   41s

$ kubectl -n vault get secret injector-tls
NAME           TYPE                DATA   AGE
injector-tls   kubernetes.io/tls   3      6m59s
$ kubectl -n vault apply -f injector-certificate.yaml
certificate.cert-manager.io/injector-certificate created

$ kubectl -n vault get certificates injector-certificate -o wide
NAME                   READY   SECRET         ISSUER               STATUS                                          AGE
injector-certificate   True    injector-tls   injector-ca-issuer   Certificate is up to date and has not expired   41s

$ kubectl -n vault get secret injector-tls
NAME           TYPE                DATA   AGE
injector-tls   kubernetes.io/tls   3      6m59s

»Configuration

Now that a certificate authority and a signed certificate have been created, we can now configure Helm and the Vault Agent Injector to use them.

Install the Vault Agent Injector with the following custom values:

$ helm install vault hashicorp/vault \
  --namespace=vault \
  --set injector.replicas=2 \
  --set injector.leaderElector.enabled=false \
  --set injector.certs.secretName=injector-tls \
  --set injector.webhookAnnotations="cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/injector-certificate"
$ helm install vault hashicorp/vault \
  --namespace=vault \
  --set injector.replicas=2 \
  --set injector.leaderElector.enabled=false \
  --set injector.certs.secretName=injector-tls \
  --set injector.webhookAnnotations="cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/injector-certificate"
github logoEdit this page
DocsAPILearnCommunityPrivacySecurityPress KitConsent Manager