Secret Type - CERT
The Certificate-Type is similar to a KEYVALUE-Type but the data has to be saved in a specific order. The reason for this is, that when you issue a new certificate from a PKI Secret Engine in Vault they are wrapped in a second data object.

How To:

First generate or use an existing PKI. A documentation can be found at HashiCorps documentation page for Vault. Now issue a certificate, pipe it to a file and save it to a KV Secret Engine:
1
$ vault write -format=json testpki/issue/testrole common_name=test-url.example.com > data.json
2
$ vault write secret/test-url.example.com @data.json
Copied!
Now you should see that the data is saved in a second data object:
1
{
2
"request_id": "31773810-0506-cc95-ce44-20f6e9c45518",
3
"lease_id": "",
4
"lease_duration": 2764800,
5
"renewable": false,
6
"data": {
7
"data": {
8
"certificate": "CERTIFICATE",
9
"issuing_ca": "ROOTCA",
10
"private_key": "PRIVATEKEY",
11
"private_key_type": "rsa",
12
"serial_number": "SERIAL"
13
},
14
"lease_duration": 0,
15
"lease_id": "",
16
"renewable": false,
17
"request_id": "1d26c72a-9179-168f-a371-0637034f816e",
18
"warnings": null
19
},
20
"warnings": null
21
}
Copied!
Now you can create the Vault resource in Kubernetes:
1
apiVersion: "koudingspawn.de/v1"
2
kind: Vault
3
metadata:
4
name: test-cert
5
spec:
6
path: "secret/test-url.example.com"
7
type: "CERT"
Copied!
This will generate the Vault resource and also the secret:
1
$ kubectl get vault test-cert
2
NAME AGE
3
test-cert 8d
Copied!
1
$ kubectl get secret test-cert
2
NAME TYPE DATA AGE
3
test-cert Opaque 2 8d
Copied!
The data is stored to allow an Ingress to read it as tls. For more details on ingress configuration please see: https://koudingspawn.de/advanced-ingress/

Change Adjustment Callback

For more details please see Change Detection!
Last modified 1yr ago