Hey all, I’ve got a Vault cluster running on Kubernetes however I’m running into issues with TLS certificates.
For Vault peer communication I’ve generated a SSL cert which is signed by our k8s CA which is good and works well. I’ve also defined a CronJob that is responsible for taking a snapshot of the raft storage and then uploads this snapshot to S3 for safe keeping.
The issue I’m having is the cronjob is experiencing a SSL error when trying to take the snapshot specifically
Error taking the snapshot: Get “https://10.233.125.78:8200/v1/sys/storage/raft/snapshot”: x509: certificate is valid for 127.0.0.1, not 10.233.125.78
Below is my csr.conf which I’m using to generate the K8s CSR
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = {SERVICE} DNS.2 = {SERVICE}.{NAMESPACE} DNS.3 = {SERVICE}.{NAMESPACE}.svc DNS.4 = {SERVICE}.{NAMESPACE}.svc.cluster.local DNS.5 = vault-prod-0.{SERVICE}
DNS.6 = vault-prod-1.{SERVICE} DNS.7 = vault-prod-2.{SERVICE}
DNS.8 = vault-prod-active.${NAMESPACE}.svc.cluster.local
IP.1 = 127.0.0.1
I’ve tried removing the IP.1 field however it then throws an error about an IP not being present. I feel that there must be a better way of doing this. We have cert-manager setup in our cluster with a LetsEncrypt clusterissuer, can we use this to generate the certs for Vault peer communication?