vault icon indicating copy to clipboard operation
vault copied to clipboard
verified publisher icon hashicorp

Trust CAs injected via VAULT_CACERT as S3 target for vault helm chart

Open aquisx opened this issue 1 year ago • 1 comments

Is your feature request related to a problem? Please describe. Currently there is no option to inject a self signed ca for using it as s3 snapshot target. Vault already has the option to inject a CA using the envVar VAULT_CACERT. However, this CA is not injected into the trust store of the image but only used for the Vault application. So there is no native option to specify the s3 ca. This isn't a problem if using a public s3 storage like aws or gcp, but if you're using your own s3 storage with a private ca, there is no option for it.

Describe the solution you'd like That the content of VAULT_CACERT get injected into the system image, so that the s3 client is trusting the self signed injected ca. If the env var could not be used for this purpose there should be another var for this purpose.

Describe alternatives you've considered Fork the vault image and do injection there or use an initContainer. There is no documentation about it and both solutions are associated with more complex maintenance

Explain any additional use-cases

Additional context

aquisx avatar Aug 07 '24 11:08 aquisx

I figured out a (dirty) way using ubi images without using root rights. First there is need for a configMap "ca-inject-cm" which includes the ca cert. Then you map this configmap in your init container to the anchors. After this you need to rewrite the default update-ca-trust script because there is a hardcoded path /etc/pki/ca-trust/extracted what we need to replace because we don't have root rights to write to the default folder. In the end we map the new folder with the trusted certs to our vault container.

vault:
  server:
    extraInitContainers:
      - name: cert-init
        image: registry.access.redhat.com/ubi9/ubi-minimal:latest
        command: ["/bin/sh", "-c"]
        args: [
          "echo 'Starting certificate update' && \
          cp -r /etc/pki/ca-trust/extracted/* /cert-tmp && \
          cp /usr/bin/update-ca-trust /tmp/update-ca-trust.sh && \
          sed -i 's|DEST=/etc/pki/ca-trust/extracted|DEST=/cert-tmp|' /tmp/update-ca-trust.sh && \
          chmod +x /tmp/update-ca-trust.sh && \
          /tmp/update-ca-trust.sh && \
          echo 'Certificate update completed'"
        ]
        volumeMounts:
          - name: ca-cert-pem
            mountPath: /etc/pki/ca-trust/source/anchors/ca-cert.crt
            subPath: ca-cert.pem
            readOnly: false
          - name: cert-tmp
            mountPath: /cert-tmp
            readOnly: false
    volumes: 
      - name: ca-cert-pem
        configMap:
          name: ca-inject-cm
      - name: cert-tmp
        emptyDir: {}

aquisx avatar Aug 09 '24 08:08 aquisx

Having the same issue but using helm charts. For me it's quite funny that setting up the vault as a Root CA issuing cert to a keycloakserver that you then want to create a oidc client to authenticate against.. The vault does not even trust it own cert. And no easy way to get it to either... silly having to create a separate image FROM hashi/vault :-)

frippe75 avatar Sep 04 '24 18:09 frippe75