My Vault is an external instance (not hosted in K8S) secured with mTLS. What is the proper way of configuring mutual authentication for VSO?
I have created kubernetes secret ‘vault-secrets-operator-ca-cert’ with ca.crt, client.tls and client.key but I’m still getting ‘remote error: tls: bad certificate’.
This is helm resource I’m using but I’m not sure if vault.hashicorp.com/client-cert and vault.hashicorp.com/client-key are necessary:
resource "helm_release" "vault_secrets_operator" {
name = "vault-secrets-operator"
repository = "https://helm.releases.hashicorp.com"
chart = "vault-secrets-operator"
namespace = "vault"
version = "0.1.0"
create_namespace = true
values = [
<<EOF
annotations:
vault.hashicorp.com/client-cert: '/vault/tls/client.crt'
vault.hashicorp.com/client-key: '/vault/tls/client.key'
vault.hashicorp.com/tls-secret: 'vault-secrets-operator-ca-cert'
defaultVaultConnection:
enabled: true
address: "https://vault.external.acme:8200"
caCertSecretRef: "${kubernetes_secret.vault_secrets_operator_tls.metadata.0.name}"
skipTLSVerify: true
EOF
]
}```