There are four variables that will be used in this example.
# SERVICE is the name of the Vault service in Kubernetes.# It does not have to match the actual running service, though it may help for consistency.exportSERVICE=vault-server-tls
# NAMESPACE where the Vault service is running.exportNAMESPACE=vault-namespace
# SECRET_NAME to create in the Kubernetes secrets store.exportSECRET_NAME=vault-server-tls
# TMPDIR is a temporary working directory.exportTMPDIR=/tmp
# CSR_NAME will be the name of our certificate signing request as seen by Kubernetes.exportCSR_NAME=vault-csr
# SERVICE is the name of the Vault service in Kubernetes.# It does not have to match the actual running service, though it may help for consistency.exportSERVICE=vault-server-tls
# NAMESPACE where the Vault service is running.exportNAMESPACE=vault-namespace
# SECRET_NAME to create in the Kubernetes secrets store.exportSECRET_NAME=vault-server-tls
# TMPDIR is a temporary working directory.exportTMPDIR=/tmp
# CSR_NAME will be the name of our certificate signing request as seen by Kubernetes.exportCSR_NAME=vault-csr
Create a key for Kubernetes to sign.
$openssl genrsa -out ${TMPDIR}/vault.key 2048Generating RSA private key, 2048 bit long modulus...................................................................................................+++...............+++e is 65537 (0x10001)
$openssl genrsa -out ${TMPDIR}/vault.key 2048Generating RSA private key, 2048 bit long modulus...................................................................................................+++...............+++e is 65537 (0x10001)
Create a Certificate Signing Request (CSR).
Create a file ${TMPDIR}/csr.conf with the following contents:
The below custom-values.yaml can be used to set up a single server Vault cluster using TLS.
This assumes that a Kubernetes secret exists with the server certificate, key and
certificate authority: