Nginx mTLS with Vault secret operator How to manage ca cert chain and crl?

We try to get a secret for Nginx for mTLS (show this doc: Client Certificate Authentication - Ingress-Nginx Controller)

For that we need a secret with 2 files:

  • ca.crt: with the root ca and intermediate ca
  • ca.crl: with the root crl and the intermediate crl

here is an example with the ricoberger (we use templating):

kind: VaultSecret
  name: api-client-ca
  namespace: nginx-ingress
  isBinary: false
  reconcileStrategy: Merge
    ca_root: "pki/cert/ca"
    ca_api: "pki_api/cert/ca"
    crl_root: "pki/cert/crl"
    crl_api: "pki_api/cert/crl"
    ca.crt: "{% .ca_root.Secrets.certificate %}\n{% .ca_api.Secrets.certificate %}"
    ca.crl: "{% .crl_root.Secrets.certificate %}\n{% .crl_api.Secrets.certificate %}"
  type: Opaque

This secret is used with the annotation

New issue created to add a new CRD to read PKI issuer: Add support for mTLS CA and CRL chain · Issue #657 · hashicorp/vault-secrets-operator · GitHub