I have vault-agent running, and injecting secrets into a kubernetes pod. Very cool!
My next challenge is to have vault-agent inject a newly created pki certificate into the pod.
I see and can use the annotation vault.hashicorp.com/agent-inject-secret- .
Is there a similar annotation for injecting a new certificate from pki/issue ?
moayadi
September 29, 2020, 3:46pm
2
Hi @BradyWiseman , try this in the annotation:
vault.hashicorp.com/agent-inject-secret-ca.crt: ""
vault.hashicorp.com/agent-inject-template-ca.crt: |
{{- with secret "k8_pki/issue/webcerts" "common_name=host.my-website.com" -}}
{{ .Data.issuing_ca }}
{{- end }}
vault.hashicorp.com/agent-inject-secret-tls.key: ""
vault.hashicorp.com/agent-inject-template-tls.key: |
{{- with secret "k8_pki/issue/webcerts" "common_name=host.my-website.com" -}}
{{ .Data.private_key }}
{{- end }}
vault.hashicorp.com/agent-inject-secret-tls.crt: ""
vault.hashicorp.com/agent-inject-template-tls.crt: |
{{- with secret "k8_pki/issue/webcerts" "common_name=host.my-website.com" -}}
{{ .Data.certificate }}
{{- end }}
vault.hashicorp.com/agent-inject-secret-all.crt: ""
vault.hashicorp.com/agent-inject-template-all.crt: |
{{- with secret "k8_pki/issue/webcerts" "common_name=host.my-website.com" -}}
{{ .Data }}
{{- end }}
The ca.crt, tls.key and tls.crt should render in /vault/secrets/.