docs/doc/source/security/kubernetes/vault-server-certificate-8573125eeea6.rst

Vault Server Certificate

integrates open source Vault containerized security application (Optional) into the solution.

Vault is a containerized secrets management application that provides encrypted storage with policy-based access control and supports multiple secrets storage engines and auth methods.

For details about Vault installation and configuration, refer to Vault Secret and Data Management <vault-secret-and-data-management-security-index>.

Accessing Vault is secured by HTTPS. Vault server certificate and the Root certificate from which the server certificate is generated are stored in Kubernetes secrets in Vault namespace.

• vault-ca: the Vault Root certificate
• vault-server-tls: the Vault server certificate

The client that accesses a Vault server verifies the Vault server certificate with vault-ca Root certificate. Therefore, the client needs to be configured to trust vault-ca Root certificate.

In the section Configure Vault Using the Vault REST API <configure-vault>, there are examples using curl to access Vault services.

Install Vault server certificate

After the Root certificate and key have been automatically created, during Vault app application-apply, Cert Manager generates the Vault server certificate from the Root certificate.

The Root certificate has 10 years validity while the server certificate has 3 months validity.

Note

The vault-ca Root certificate is re-created when the Vault app is removed and re-applied.

Update/Renew Vault certificates

The Vault Root certificate is not auto renewed. It must be updated manually by updating the vault-ca secret from new certificate files. The Vault server certificate (vault-server-tls secret) is automatically renewed by Cert Manager, but the Vault server re-reads the certificates when prompted by a SIGHUP signal. In both the cases, it is necessary to send a SIGHUP signal to the Vault server processes to read the updated certificates before the old certificates expire. Send SIGHUP signal (1) to each of the Vault server processes using the following kubectl command:

POD=sva-vault-0
kubectl exec -n vault $POD -- pkill -1 -x vault

Refer to https://support.hashicorp.com/hc/en-us/articles/4417759906835-Replacing-the-TLS-certificate-and-key-on-a-running-Vault-cluster-without-requiring-a-restart-unseal.

For information on how to generate a Root certificate using openssl in general, see create-certificates-locally-using-openssl. Refer to kubectl create secret tls --help to create a Kubernetes secret of type tls.

Note

After updating the certificate in vault-ca secret, it is necessary to delete the vault-server-tls secret that contains the Vault server certificate generated by Cert Manager. Cert Manager does not automatically renew certificate resources when the is changed. Refer to https://github.com/cert-manager/cert-manager/issues/5851.

After the Root is updated and Cert Manager regenerates the Vault server certificate, send a SIGHUP signal to prompt the Vault server process to load the new certificates.