I have a GKE-based Vault cluster installed with the Helm chart. I’m trying to get the sidecar to work. TLS is configured, and the sidecar causes vault-0 to log
remote error: tls: bad certificate, so my config is close to working but wrong.
My TLS cert is created with openssl, and it consists of
intermediate-ca-cert.pem- the CA cert
vault-cert.pem- Vault server cert, signed by the intermediate ca
vault-tls-key.pem- private key for Vault server cert
A Kubernetes secret
vault-tls provides these three files, mounted under
/etc/tls, and the server config has:
tls_cert_file = "/etc/tls/vault-tls/vault-cert.pem" tls_key_file = "/etc/tls/vault-tls/vault-tls-key.pem" tls_client_ca_file = "/etc/tls/vault-tls/intermediate-ca-cert.pem"
Next, my point of confusion - how do I configure the sidecar injector?
What I’ve done is to bring over the
intermediate-ca-cert.pem into the sidecar pod and point the injector at the cert, with these annotations:
vault.hashicorp.com/agent-copy-volume-mounts: "my-service" vault.hashicorp.com/ca-cert: "/var/certs/intermediate-ca-cert.pem"
my-service mounts a configmap volume containing
I’m confused on the difference between
// AnnotationVaultCACert is the path of the CA certificate used to verify Vault's // CA certificate. AnnotationVaultCACert = "vault.hashicorp.com/ca-cert" // AnnotationVaultCAKey is the path of the CA key used to verify Vault's CA. AnnotationVaultCAKey = "vault.hashicorp.com/ca-key"
What exactly is the difference and purpose of each?
And any suggestions on how I configure the injector?