Nginx mTLS with Vault secret operator How to manage ca cert chain and crl?

sebglon1 · October 25, 2023, 9:34am

Hi,
We try to get a secret for Nginx for mTLS (show this doc: Client Certificate Authentication - Ingress-Nginx Controller)

For that we need a secret with 2 files:

ca.crt: with the root ca and intermediate ca
ca.crl: with the root crl and the intermediate crl

here is an example with the ricoberger (we use templating):

apiVersion: ricoberger.de/v1alpha1
kind: VaultSecret
metadata:
  name: api-client-ca
  namespace: nginx-ingress
spec:
  isBinary: false
  reconcileStrategy: Merge
  paths:
    ca_root: "pki/cert/ca"
    ca_api: "pki_api/cert/ca"
    crl_root: "pki/cert/crl"
    crl_api: "pki_api/cert/crl"
  templates:
    ca.crt: "{% .ca_root.Secrets.certificate %}\n{% .ca_api.Secrets.certificate %}"
    ca.crl: "{% .crl_root.Secrets.certificate %}\n{% .crl_api.Secrets.certificate %}"
  type: Opaque

This secret is used with the annotation nginx.ingress.kubernetes.io/auth-tls-secret

sebglon1 · March 18, 2024, 7:44am

New issue created to add a new CRD to read PKI issuer: Add support for mTLS CA and CRL chain · Issue #657 · hashicorp/vault-secrets-operator · GitHub