vault-secrets-operator icon indicating copy to clipboard operation
vault-secrets-operator copied to clipboard
verified publisher icon hashicorp

[VaultPKISecret] Populate ca.crt from the vault issuing_ca

Open djds opened this issue 2 years ago • 2 comments

Populate ca.crt from the vault issuing_ca field the Kubernetes secret created by VaultPKISecret if the target secret is of type kuberntes.io/tls. Many Kubernetes applications expect a CA to be located at that key and this would obviate the need for separate CA ConfigMaps or Secrets in many cases. This is especially useful because Vault works great as a cluster CA, but would also simplify the rollout of new trust anchors when the CA is updated or rotated.

djds avatar May 10 '23 15:05 djds

I also have this requirement, and is blocking deployment, we cannot expect to not auto populate caCertSecret when rolling out vso to clusters.

nia-potato avatar Jun 29 '23 00:06 nia-potato

BTW, this can now be done using a template:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultPKISecret
metadata:
  name: example
spec:
  ...
  destination:
    name: pki1
    transformation:
      templates:
          ca.crt:
            text: |
              {{- printf "%s" (get .Secrets "issuing_ca") -}}

tvoran avatar Feb 26 '24 20:02 tvoran

BTW, this can now be done using a template:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultPKISecret
metadata:
  name: example
spec:
  ...
  destination:
    name: pki1
    transformation:
      templates:
          ca.crt:
            text: |
              {{- printf "%s" (get .Secrets "issuing_ca") -}}

Indeed, secrets transformations should now be honoured for kuberntes.io/tls Secret type. That requires v0.7.0 or greater.

benashz avatar Jul 09 '24 15:07 benashz