ziti icon indicating copy to clipboard operation
ziti copied to clipboard

Published 20 hours ago verified publisher icon openziti

Feature request: Ziti with Vault as an alternative to PKI

Open qdrddr opened this issue 2 years ago • 2 comments

Please consider utilizing Hashicorp Vault to store certificates and use them with OpenZiti. For example in k8s environments where certificates are obtained with certificate manager (such as letsencrypt) and stored with Vault.

qdrddr avatar Nov 22 '23 19:11 qdrddr

You can actually use Vault or any other JWT provider like SPIRE. You can obtain a JWT from vault and use it to authenticate to the overlay.

I plan to implement this into edgex foundry in the coming months as well. I also demonstrated how to use external jwt providers with SPIRE elsewhere for a conference talk...

Would that cover what you're looking for here?

dovholuknf avatar Nov 22 '23 19:11 dovholuknf

Hi @dovholuknf, nice to know that JWT for Enrollment is compatible with the Vault. My feature request was about something other than JWT and concerns Ziti requiring PKI infrastructure for proper new user enrollment and browsers to display a trusted (not a self-signed) certificate. Setting up PKI infrastructure is often a tedious and complex task required in production environments to use Ziti. In other words, PKI is a blocker to use Ziti for production.

I was looking for ways to make it easier or find another way around it.

One way to do that is to leverage tools such as Hashicorp Vault to store certificates and tools such as letsencrypt to generate a signed certificate to replace the need to set up PKI infrastructure completely.

Hashicorp Vault & Letsencrypt tools are often used in k8s environments. They are often already configured and ready to be used, so implementing and adopting Ziti would be much easier with these existing tools instead of PKI.

Also, to push the envelope even further, you can incorporate Vault & Letsencrypt tools into your existing Docker Compose example and k8s Helm Chart to remove the burden from the users to implement these and speed up Ziti adoption.

Please consider adding tools such as Hashicorp Vault + Letsencrypt as wildly used or popular PKI into your docker-compose example.

Thank you for your consideration, D

qdrddr avatar Nov 27 '23 17:11 qdrddr

Making PKI easier is always a help (and major focus of orchestration). Closing for now due to inactivity, open to revisit at later date.

smilindave26 avatar Aug 28 '24 15:08 smilindave26