Hi! I’m currently setting up vault with HA for our kubernetes cluster, and i’m running into a bit of an issue.
I’m setting up TLS for secure communication, using our cert+key for *.companyname.com.
After doing helm install, i see that all of the joins fail, as the certificate isn’t valid for vault-x.vault-internal:8200, which makes sense.
How would i go about solving this? Do i need to change my cert/key, or can i change the internal address they go through, or what’s the best way to do this.
So normally “SAN” (subject alternative name) is how you define the “other” names a host can be known by in a certificate. www.foo.com would also have foo.com and 167.206.222.11 as a SAN. This makes www.foo.com and foo.com and 167.206.222.11 all valid hostnames.
However, I don’t believe you can have a wildcard SAN name, so in this case you actually need another cert for your cluster, one that would cover the {node}.vault-internal domain. Our certificate request usually has 10-12 SANs to cover the various names and domains of our cluster along with 127.0.0.1 as SANs.
Hmm, fair. So would i have to do something through cert manager, or should i go with a self signed cert? The documentation for injector.certs mentions In a production environment, custom certs should probably be used, and i’m a bit confused as what a custom cert would be.
We use a self-signed cert as it’s all internal access, so up to you and your budget. There is nothing wrong with self-signed certificates for internal use as long as you use proper types, bits, lifespans and are careful with your CA key .