Hello All,
I am hoping to solve few questions i have in mind.
I have installed vault with self signed certificate, HA mode, raft configuration. While it’s installing and agent sidecar is working fine, I am now planning to expose it outside of cluster to be available for clients. And i have no idea to accomplish that, or to integrate it with ingress.
VAULT_RELEASE_NAME="vault"
VAULT_INTERNAL_SVC="${VAULT_RELEASE_NAME}-internal"
NAMESPACE=vault
SECRET_NAME=vault-server-tls
TMPDIR=./cert
cat <<EOF >${TMPDIR}/csr.conf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.${VAULT_INTERNAL_SVC}
DNS.2 = *.${NAMESPACE}.svc.cluster.local
DNS.3 = *.${VAULT_INTERNAL_SVC}.${NAMESPACE}.svc.cluster.local
IP.1 = 127.0.0.1
EOF
I have ingress-nginx, and i have a domain as well.
One idea i have is to use tls passthrough but i wonder if this will work, as if my domain is vault.example.com, and i use tls passthrough will the vault server able to verify vault.example.com, since i haven’t included it in the self-signed config.
Any idea, or gist to nudge me in the right direction will be very helpful.
Thanks