Kubernetes Vault with Injector - How can I use Lets Encrypt based certs when the sidecar only talks to internal service?

I have a fairly straightforward k8s setup with Vault. I have already grabbed the certificate for its URL, using Lets Encrypt and placed it in a secret, and I’ve added it using the extraVolumeMounts and specified the path to it within the config section.

But, when the injector attempts to connect to the vault server, it always connects to the vault k8s service (ie vault.vault.svc). Because LE doesn’t allow private DNS SANs, it complains. I tried adding the k8s CA to the injector sidecar annotations, but still complains.

Is it not possible to use Vault with Letsencrypt certificates, when running in Kubernetes?

Thank you.

You could have two listening ports with different certificates. The “public” port which uses the LE certificate and the “public” DNS name, and then an “internal” port which uses a different certificate with the vault.vault.svc DNS name (not LE).

Ah, good call…I could have two different listeners configured. I’ll take a look at that.

That said, it does seem odd that the injector annotations don’t include a means to specify a particular server. I’m going to deploy the injector helm chart to a separate cluster, and configure the externalVaultAddr and see how that looks. I see in the helm chart that it sets the mode to “external”, but will need to dig deeper into what that actually changes.