Vault-CRD
  • Introduction
  • How does Vault-CRD work?
  • Supported Secret Types
    • Secret Type - KEYVALUE
    • Secret Type - KEYVALUEV2
    • Secret Type - PKI
    • Secret Type - PKIJKS
    • Secret Type - CERT
    • Secret Type - CERTJKS
    • Secret Type - DOCKERCFG
    • Secret Type - PROPERTIES
  • Change Detection
  • Install Vault-CRD
    • Self Signed Certificates
    • Enable Admission Webhook
Powered by GitBook
On this page
  • How TO
  • jksConfiguration
  • Change Adjustment Callback
  1. Supported Secret Types

Secret Type - PKIJKS

The PKIJKS-Type is the same as the PKI-Type. The only difference is that it converts the issued certificate into a Java Key Store.

How TO

How to generate a PKI is documented by HashiCorp in their Secrets Engine documentation. For a short simple example please see the How To section of PKi-Type.

After you have generated a PKI create the Vault resource in Kubernetes:

apiVersion: "koudingspawn.de/v1"
kind: Vault
metadata:
  name: test-pkijks
spec:
  path: "testpki/issue/testrole"
  type: "PKIJKS"
  pkiConfiguration:
    commonName: "localhost"
    ttl: "7m"
  jksConfiguration:
    password: "changeit"

Now you should see the Vault resource in Kubernetes and the newly generated secret:

$ kubectl get vault test-pkijks
NAME          AGE
test-pkijks   8d
$ kubectl get secret test-pkijks
NAME          TYPE      DATA      AGE
test-pkijks   Opaque    1         8d

The Java Key Store is saved by default in the key.jks field. It's possible to change the field via the jksConfiguration Object:

jksConfiguration

jksConfiguration:
  password: "changeit"
  alias: "main"
  keyName: "key.jks"

The field password defines the password that's used to secure the Key Store. The alias is for defining the name of the TLS-Certificate in the Key store and the key name is for specifying the save path in the secret.

Change Adjustment Callback

For more details please see Change Detection!

PreviousSecret Type - PKINextSecret Type - CERT

Last updated 4 years ago