Hello,
I have a GKE-based Vault cluster installed with the Helm chart. I’m trying to get the sidecar to work. TLS is configured, and the sidecar causes vault-0 to log remote error: tls: bad certificate
, so my config is close to working but wrong.
My TLS cert is created with openssl, and it consists of
-
intermediate-ca-cert.pem
- the CA cert -
vault-cert.pem
- Vault server cert, signed by the intermediate ca -
vault-tls-key.pem
- private key for Vault server cert
A Kubernetes secret vault-tls
provides these three files, mounted under /etc/tls
, and the server config has:
tls_cert_file = "/etc/tls/vault-tls/vault-cert.pem"
tls_key_file = "/etc/tls/vault-tls/vault-tls-key.pem"
tls_client_ca_file = "/etc/tls/vault-tls/intermediate-ca-cert.pem"
Next, my point of confusion - how do I configure the sidecar injector?
What I’ve done is to bring over the intermediate-ca-cert.pem
into the sidecar pod and point the injector at the cert, with these annotations:
vault.hashicorp.com/agent-copy-volume-mounts: "my-service"
vault.hashicorp.com/ca-cert: "/var/certs/intermediate-ca-cert.pem"
(my-service
mounts a configmap volume containing intermediate-ca-cert.pem
.)
I’m confused on the difference between
// AnnotationVaultCACert is the path of the CA certificate used to verify Vault's
// CA certificate.
AnnotationVaultCACert = "vault.hashicorp.com/ca-cert"
// AnnotationVaultCAKey is the path of the CA key used to verify Vault's CA.
AnnotationVaultCAKey = "vault.hashicorp.com/ca-key"
What exactly is the difference and purpose of each?
And any suggestions on how I configure the injector?