Vault In Kubernetes - Setting up TLS

Hey all, I’ve got a Vault cluster running on Kubernetes however I’m running into issues with TLS certificates.

For Vault peer communication I’ve generated a SSL cert which is signed by our k8s CA which is good and works well. I’ve also defined a CronJob that is responsible for taking a snapshot of the raft storage and then uploads this snapshot to S3 for safe keeping.

The issue I’m having is the cronjob is experiencing a SSL error when trying to take the snapshot specifically

Error taking the snapshot: Get “”: x509: certificate is valid for, not

Below is my csr.conf which I’m using to generate the K8s CSR

req_extensions = v3_req
distinguished_name = req_distinguished_name
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
DNS.1 = {SERVICE} DNS.2 = {SERVICE}.{NAMESPACE} DNS.3 = {SERVICE}.{NAMESPACE}.svc DNS.4 = {SERVICE}.{NAMESPACE}.svc.cluster.local DNS.5 = vault-prod-0.{SERVICE}
DNS.6 = vault-prod-1.{SERVICE} DNS.7 = vault-prod-2.{SERVICE}
DNS.8 = vault-prod-active.${NAMESPACE}.svc.cluster.local
IP.1 =

I’ve tried removing the IP.1 field however it then throws an error about an IP not being present. I feel that there must be a better way of doing this. We have cert-manager setup in our cluster with a LetsEncrypt clusterissuer, can we use this to generate the certs for Vault peer communication?

In reality the TLS should terminate on the node with so there is no other IP that needs to be in the SAN. The SAN entries are all the different combination of names that the node can be referred to.

Make sure your ingress is a SSL pass-thru.