vault-secrets-operator icon indicating copy to clipboard operation
vault-secrets-operator copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Allow mTLS between VSO and external Vault instance

Open bbucko opened this issue 1 year ago • 4 comments

Is your feature request related to a problem? Please describe. Our instance of Vault is using mTLS and we are unable to private client cert/key. All attempts end up in 'remote error: tls: bad certificate'

Describe the solution you'd like Set of annotations that would make it possible to provide reference to a secret containing private key/cert which would be used to establish mTLS connection with external instance of Vault.

Describe alternatives you've considered Tried adding annotations (vault.hashicorp.com/tls-secret or vault.hashicorp.com/client-cert) but they are not working.

bbucko avatar Jul 26 '23 13:07 bbucko

Hi @bbucko - Thanks for filing this issue, We currently have fields defined as part of the VaultConnection custom resource under Spec.tlsServerName/caCertSecretRef here, which I think should work for this, unless I'm missing something in your request. Can you take a look at that and see if it fits your use case? If not, could you point out what it is missing? Cheers, ~Kyle

kschoche avatar Jul 26 '23 14:07 kschoche

Hi, caCertSecretRef seems like a way to define CA Certificate but I want to additionally define fields that would act as https://developer.hashicorp.com/vault/docs/platform/k8s/injector/annotations#vault-hashicorp-com-client-cert and https://developer.hashicorp.com/vault/docs/platform/k8s/injector/annotations#vault-hashicorp-com-client-key. Unless there's some "secret" field I'm missing, it's not possible to configure TLS Config to pick up client cert/key. I think that we could potentially use environment variables to define both and point them to a mounted secrets in the container but Chart does not allow to do it at the moment (I think there's a separate issue for fixing this: https://github.com/hashicorp/vault-secrets-operator/issues/287).

bbucko avatar Jul 26 '23 14:07 bbucko

hey @bbucko did you get this resolved at last?

nia-potato avatar Jan 25 '24 23:01 nia-potato

Nah, we switched to a diffeent secrets management system.

bbucko avatar Jan 26 '24 08:01 bbucko

Hello 👋 I'm having the same issue. As mentioned caCertSecretRef seems to only contain the CA certificate. How would we define a client key and a client certificate in the TLS config, so that we can enable mTLS on the Vault server?

huyquanha avatar Nov 02 '24 06:11 huyquanha