Secret Type - CERT

The Certificate-Type is similar to a KEYVALUE-Type but the data has to be saved in a specific order. The reason for this is, that when you issue a new certificate from a PKI Secret Engine in Vault they are wrapped in a second data object.

How To:

First generate or use an existing PKI. A documentation can be found at HashiCorps documentation page for Vault. Now issue a certificate, pipe it to a file and save it to a KV Secret Engine:

$ vault write -format=json testpki/issue/testrole common_name=test-url.example.com > data.json
$ vault write secret/test-url.example.com @data.json

Now you should see that the data is saved in a second data object:

{
"request_id": "31773810-0506-cc95-ce44-20f6e9c45518",
"lease_id": "",
"lease_duration": 2764800,
"renewable": false,
"data": {
"data": {
"certificate": "CERTIFICATE",
"issuing_ca": "ROOTCA",
"private_key": "PRIVATEKEY",
"private_key_type": "rsa",
"serial_number": "SERIAL"
},
"lease_duration": 0,
"lease_id": "",
"renewable": false,
"request_id": "1d26c72a-9179-168f-a371-0637034f816e",
"warnings": null
},
"warnings": null
}

Now you can create the Vault resource in Kubernetes:

apiVersion: "koudingspawn.de/v1"
kind: Vault
metadata:
name: test-cert
spec:
path: "secret/test-url.example.com"
type: "CERT"

This will generate the Vault resource and also the secret:

$ kubectl get vault test-cert
NAME AGE
test-cert 8d
$ kubectl get secret test-cert
NAME TYPE DATA AGE
test-cert Opaque 2 8d

The data is stored to allow an Ingress to read it as tls. For more details on ingress configuration please see: https://koudingspawn.de/advanced-ingress/‚Äč