Internal CA for Storage Backend

Hi all,

I am trying to use a S3 storage backend for Vault. Vault itself runs in a K8s cluster and is deployed with Helm.

My issue is that the storage backend uses a certificate from a self-signed CA and when I try to use the “https://s3.storage.backend.local” I get an error “x509: certificate signed by unknown authority”.

Does anyone have any idea how I could add our internal CA to the Vault container ?

Thanks for any ideas.

First - I’d like to discourage you from doing this. It’ll just cause you headaches. Vault is very sensitive to disk latency and using a remote S3 for the data itself will ruin your day with any sort of load.

That said, that URL doesn’t look like. Try using curl to access it from the pod. If the pod can resolve and verify the cert then Vault will be able to as well. If that’s not working you’ll have to modify the container image you’re using, add the cert from the site as a trusted cert. How depends on your base layer, check on how to add certs to that OS.

Hi aram,

thank you for your answer. I have already verified it with the curl - even if it was not easy to install CURL there without root - and I know that my own rootCA isn’t inside of the container. I just don’t have an idea for a smart solution to inject the rootCA into the container.

I would need a pipeline to build the image regularly and a way how trigger this image build, because to do this manually would create security issue because I would forget it. It means it should be automatically work with the latest/official vault image.

What I also tried was the use of an alpine image as initContainer but I have no root user inside of the container it is very hard to inject it in this way or I did it wrong.

Is there another smart way to make the rootCA known to the container?