The following instructions demonstrate how to configure the Vault Agent Injector to use certificates generated by cert-manager. This allows you to run multiple replicas of the Vault Agent Injector in a Kubernetes cluster.
For this example we will bootstrap a self-signed certificate authority (CA) Issuer. If you already have a ClusterIssuer configured for your cluster, you may skip this step.
Save that to a file named ca-issuer.yaml, and apply to your Kubernetes cluster:
$ kubectl apply -n vault -f ca-issuer.yaml
issuer.cert-manager.io/selfsigned created
certificate.cert-manager.io/injector-selfsigned-ca created
issuer.cert-manager.io/injector-ca-issuer created
$ kubectl -n vault get issuers -o wide
NAME READY STATUS AGE
injector-ca-issuer True Signing CA verified 7s
selfsigned True 7s
$ kubectl -n vault get certificates injector-selfsigned-ca -o wide
NAME READY SECRET ISSUER STATUS AGE
injector-selfsigned-ca True injector-ca-secret selfsigned Certificate is up to date and has not expired 32s
$ kubectl apply -n vault -f ca-issuer.yaml
issuer.cert-manager.io/selfsigned created
certificate.cert-manager.io/injector-selfsigned-ca created
issuer.cert-manager.io/injector-ca-issuer created
$ kubectl -n vault get issuers -o wide
NAME READY STATUS AGE
injector-ca-issuer True Signing CA verified 7s
selfsigned True 7s
$ kubectl -n vault get certificates injector-selfsigned-ca -o wide
NAME READY SECRET ISSUER STATUS AGE
injector-selfsigned-ca True injector-ca-secret selfsigned Certificate is up to date and has not expired 32s
Next we can create a request for cert-manager to generate a certificate and key
signed by the certificate authority above. This certificate and key will be used
by the Vault Agent Injector for TLS communications with the Kubernetes API.
The Certificate request object references the CA issuer created above, and specifies the name of the Secret where the CA, Certificate, and Key will be stored by cert-manager.
Important Note: The dnsNames for the certificate must be configured to use the name
of the Vault Agent Injector Kubernetes service and namespace where it is deployed.
In this example the Vault Agent Injector service name is vault-agent-injector-svc in the vault namespace.
This uses the pattern <k8s service name>.<k8s namespace>.svc.
Save the Certificate yaml to a file and apply to your cluster:
$ kubectl -n vault apply -f injector-certificate.yaml
certificate.cert-manager.io/injector-certificate created
$ kubectl -n vault get certificates injector-certificate -o wide
NAME READY SECRET ISSUER STATUS AGE
injector-certificate True injector-tls injector-ca-issuer Certificate is up to date and has not expired 41s
$ kubectl -n vault get secret injector-tls
NAME TYPE DATA AGE
injector-tls kubernetes.io/tls 3 6m59s
$ kubectl -n vault apply -f injector-certificate.yaml
certificate.cert-manager.io/injector-certificate created
$ kubectl -n vault get certificates injector-certificate -o wide
NAME READY SECRET ISSUER STATUS AGE
injector-certificate True injector-tls injector-ca-issuer Certificate is up to date and has not expired 41s
$ kubectl -n vault get secret injector-tls
NAME TYPE DATA AGE
injector-tls kubernetes.io/tls 3 6m59s