Using Letsencrypt certificates for Vault setup on kubernetes

Hi All,

Requirement - is to setup Vault in kubernetes using the helm chart(Hashicorp helm chart) by leveraging lets encrypt certificates. Setup details as follows.

Infra - kubenetes
Vault cluster nodes count- 5
Autounseal - AWS KMS
Backend - Integrated storage(Raft)

As per the documentation we need to setup end to end tls encryption i.e from Client to Loadbalancer & Loadbalancer to target backends. So how does the certificate info(Letsencrypt) should be configured for Loadbalancer & raft backends.

Did you get an answer to your question? I’m interested in the same config in vault

Let’s Encrypt might be a reasonable solution for a Vault loadbalancer endpoint that is exposed to the public internet (although do you really want to do that?), in which case the answer would be “just refer to general documentation about Let’s Encrypt and your loadbalancer implementation”.

For individual Vault node certificates, I do feel I need to re-ask the question of do you really want to expose those to the public internet?

But if you’ve decided it’s fine, you’d need to, for yourself, figure out how you’re going to serve responses to ACME challenges (HTTP-01 or DNS-01 - you decide), and implement that.

Short version: This is a “build it yourself” scenario, not just a “configure it” one. I would imagine most people use private/internal CAs for backend node certificates.