external-secrets
[Documentation] Certificate/TLS Auth with Hashicorp Vault
The documentation for Certificate/TLS Auth with Hashicorp Vault when creating secret stores is unclear.
The way I managed to make it work:
Create a kubernetes.io/tls secret:
apiVersion: v1
data:
# The keys need to be tls.crt and tls.key. You can use chains in tls.crt
tls.crt: LS0tVNJd<redacted>0tLQ==
tls.key: LS0tLS1C<redacted>0tLQ==
kind: Secret
metadata:
labels:
app.kubernetes.io/managed-by: terraform
name: vault-tls
namespace: external-secrets
type: kubernetes.io/tls
Then configure the clustersecretstore.
apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
name: example-vault-store
spec:
# provider field contains the configuration to access the provider
# which contains the secret exactly one provider must be configured.
provider:
vault:
server: "https://example.vault.int"
# Path is the mount path of the Vault KV backend endpoint
# Used as a path prefix for the external secret key
path: "service-users"
# Version is the Vault KV secret engine version.
# This can be either "v1" or "v2", defaults to "v2"
version: "v2"
# vault enterprise namespace: https://www.vaultproject.io/docs/enterprise/namespaces
namespace: "ENTERPRISE/NAMESPACE"
# base64 encoded string of certificate
# caBundle:
# # Instead of caBundle you can also specify a caProvider
# # this will retrieve the cert from a Secret or ConfigMap
caProvider:
# Can be Secret or ConfigMap
type: "ConfigMap"
# namespace is mandatory for ClusterSecretStore and not relevant for SecretStore
namespace: "external-secrets"
name: "ca-bundle"
key: "caBundle"
auth:
cert:
clientCert:
# Apparently for clustersecretstore the namespace where to find the certificates secret needs to be set.
namespace: "external-secrets"
name: vault-tls
key: tls.crt
secretRef:
# Apparently for clustersecretstore the namespace where to find the certificates secret needs to be set.
namespace: "external-secrets"
name: vault-tls
key: tls.key
hi @alexandrud . Our docs state that ClusterSecretStores are cluster scoped - thus, adding this:
apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
name: example-vault-store
namespace: external-secrets ## This makes no sense
is wrong and why you've got confused in the first place.
Can you point where you've got the example manifests in the docs? If it is set like the example you've provided in your issue, we do need to update it.
Hi @gusfcarvalho,
You are right, the namespace in the clustersecretstore metadata makes no sense. Not quite sure how it ended up in my config. Probably a copy paste from somewhere. There rest should be correct though. Figured an example for TLS auth with Hashicorp Vault can be added here: https://external-secrets.io/latest/provider/hashicorp-vault/#tls-certificates-authentication
I had to extrapolate from kubernetes and the mTLS examples and do some trial and error to get it working.
Did you try the configuration under https://external-secrets.io/latest/provider/hashicorp-vault/#mutual-authentication-mtls ? i.e. specify the client certs under tls field?
I haven't. We don't control the Vault instance, so any configuration on that side is not possible for us. And the documentation led me to believe I would still need a Vault token or some other auth method, which I was trying to avoid:
the mTLS configuration solely focuses on TLS transport layer authentication and lacks any authorization-related capabilities. It's important to note that the Vault token must still be included in the request, following any of the supported authentication methods mentioned earlier.
I will give it a try in the next few days just to see if it works.