Comment on page
Secret Type - CERT

The Certificate-Type is similar to a KEYVALUE-Type but the data has to be saved in a specific order. The reason for this is, that when you issue a new certificate from a PKI Secret Engine in Vault they are wrapped in a second data object.
How To:
First generate or use an existing PKI. A documentation can be found at HashiCorps documentation page for Vault. Now issue a certificate, pipe it to a file and save it to a KV Secret Engine:
$ vault write -format=json testpki/issue/testrole common_name=test-url.example.com > data.json
$ vault write secret/test-url.example.com @data.json
Now you should see that the data is saved in a second data object:
{
  "request_id": "31773810-0506-cc95-ce44-20f6e9c45518",
  "lease_id": "",
  "lease_duration": 2764800,
  "renewable": false,
  "data": {
    "data": {
      "certificate": "CERTIFICATE",
      "issuing_ca": "ROOTCA",
      "private_key": "PRIVATEKEY",
      "private_key_type": "rsa",
      "serial_number": "SERIAL"
    },
    "lease_duration": 0,
    "lease_id": "",
    "renewable": false,
    "request_id": "1d26c72a-9179-168f-a371-0637034f816e",
    "warnings": null
  },
  "warnings": null
}
Now you can create the Vault resource in Kubernetes:
apiVersion: "koudingspawn.de/v1"
kind: Vault
metadata:
  name: test-cert
spec:
  path: "secret/test-url.example.com"
  type: "CERT"
This will generate the Vault resource and also the secret:
$ kubectl get vault test-cert
NAME        AGE
test-cert   8d
$ kubectl get secret test-cert
NAME        TYPE      DATA      AGE
test-cert   Opaque    2         8d
The data is stored to allow an Ingress to read it as tls. For more details on ingress configuration please see: https://koudingspawn.de/advanced-ingress/​
Change Adjustment Callback
For more details please see Change Detection!
Secret Type - PKIJKS
Secret Type - CERTJKS
Last modified 3yr ago