docs/doc/source/security/kubernetes/vault-server-certificate-8573125eeea6.rst

.. _vault-server-certificate-8573125eeea6:

========================
Vault Server Certificate
========================

|prod| integrates open source Vault containerized security application
\(Optional) into the |prod| solution.

Vault is a containerized secrets management application that provides encrypted
storage with policy-based access control and supports multiple secrets storage
engines and auth methods.

For details about Vault installation and configuration, refer to :ref:`Vault Secret and Data Management
<vault-secret-and-data-management-security-index>`.

Accessing Vault is secured by HTTPS. Vault server certificate and the Root |CA|
certificate from which the server certificate is generated are stored in
Kubernetes secrets in Vault namespace.

-   vault-ca: the Vault Root |CA| certificate

-   vault-server-tls: the Vault server certificate

The client that accesses a Vault server verifies the Vault server certificate with
``vault-ca`` Root |CA| certificate. Therefore, the client needs to be configured to trust
``vault-ca`` Root |CA| certificate.

In the section :ref:`Configure Vault Using the Vault REST API <configure-vault>`,
there are examples using :command:`curl` to access Vault services.

--------------------------------
Install Vault server certificate
--------------------------------

After the Root |CA| certificate and key have been automatically created,
during Vault app application-apply, Cert Manager generates the Vault server
certificate from the Root |CA| certificate.

The Root |CA| certificate has 10 years validity while the server certificate
has 3 months validity.

.. note::

    The ``vault-ca`` Root |CA| certificate is re-created when the Vault app is
    removed and re-applied.

-------------------------------
Update/Renew Vault certificates
-------------------------------

The Vault Root |CA| certificate is not auto renewed. It must be updated
manually by updating the ``vault-ca`` secret from new certificate files. The
Vault server certificate (``vault-server-tls`` secret) is automatically renewed by
Cert Manager, but the Vault server re-reads the certificates when prompted by a
SIGHUP signal. In both the cases, it is necessary to send a SIGHUP signal to the
Vault server processes to read the updated certificates before the old
certificates expire. Send SIGHUP signal (1) to each of the Vault server
processes using the following kubectl command:

.. code-block:: none

    POD=sva-vault-0
    kubectl exec -n vault $POD -- pkill -1 -x vault

Refer to `https://support.hashicorp.com/hc/en-us/articles/4417759906835-Replacing-the-TLS-certificate-and-key-on-a-running-Vault-cluster-without-requiring-a-restart-unseal
<https://support.hashicorp.com/hc/en-us/articles/4417759906835-Replacing-the-TLS-certificate-and-key-on-a-running-Vault-cluster-without-requiring-a-restart-unseal>`__.

For information on how to generate a Root |CA| certificate using openssl in
general, see :ref:`create-certificates-locally-using-openssl`. Refer to
``kubectl create secret tls --help`` to create a Kubernetes secret of type
``tls``.

.. note::

    After updating the |CA| certificate in ``vault-ca`` secret, it is necessary to
    delete the ``vault-server-tls`` secret that contains the Vault server certificate
    generated by Cert Manager. Cert Manager does not automatically renew
    certificate resources when the |CA| is changed. Refer to `https://github.com/cert-manager/cert-manager/issues/5851 <https://github.com/cert-manager/cert-manager/issues/5851>`__.

After the Root |CA| is updated and Cert Manager regenerates the Vault server
certificate, send a SIGHUP signal to prompt the Vault server process to load
the new certificates.