Vault-CRD
  • Introduction
  • How does Vault-CRD work?
  • Supported Secret Types
    • Secret Type - KEYVALUE
    • Secret Type - KEYVALUEV2
    • Secret Type - PKI
    • Secret Type - PKIJKS
    • Secret Type - CERT
    • Secret Type - CERTJKS
    • Secret Type - DOCKERCFG
    • Secret Type - PROPERTIES
  • Change Detection
  • Install Vault-CRD
    • Self Signed Certificates
    • Enable Admission Webhook
Powered by GitBook
On this page
  • How To:
  • Change Adjustment Callback
  1. Supported Secret Types

Secret Type - CERT

The Certificate-Type is similar to a KEYVALUE-Type but the data has to be saved in a specific order. The reason for this is, that when you issue a new certificate from a PKI Secret Engine in Vault they are wrapped in a second data object.

How To:

First generate or use an existing PKI. A documentation can be found at HashiCorps documentation page for Vault. Now issue a certificate, pipe it to a file and save it to a KV Secret Engine:

$ vault write -format=json testpki/issue/testrole common_name=test-url.example.com > data.json
$ vault write secret/test-url.example.com @data.json

Now you should see that the data is saved in a second data object:

{
  "request_id": "31773810-0506-cc95-ce44-20f6e9c45518",
  "lease_id": "",
  "lease_duration": 2764800,
  "renewable": false,
  "data": {
    "data": {
      "certificate": "CERTIFICATE",
      "issuing_ca": "ROOTCA",
      "private_key": "PRIVATEKEY",
      "private_key_type": "rsa",
      "serial_number": "SERIAL"
    },
    "lease_duration": 0,
    "lease_id": "",
    "renewable": false,
    "request_id": "1d26c72a-9179-168f-a371-0637034f816e",
    "warnings": null
  },
  "warnings": null
}

Now you can create the Vault resource in Kubernetes:

apiVersion: "koudingspawn.de/v1"
kind: Vault
metadata:
  name: test-cert
spec:
  path: "secret/test-url.example.com"
  type: "CERT"

This will generate the Vault resource and also the secret:

$ kubectl get vault test-cert
NAME        AGE
test-cert   8d
$ kubectl get secret test-cert
NAME        TYPE      DATA      AGE
test-cert   Opaque    2         8d

Change Adjustment Callback

PreviousSecret Type - PKIJKSNextSecret Type - CERTJKS

Last updated 4 years ago

The data is stored to allow an Ingress to read it as tls. For more details on ingress configuration please see:

For more details please see !

https://koudingspawn.de/advanced-ingress/
Change Detection