starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/kubernetes/vault-server-certificate-8573125eeea6.rst
Ron Stone f125a8b892 Remove spurious escapes (r8,dsR8) 
This change addresses a long-standing issue in rST documentation imported from XML.
That import process added backslash escapes in front of various characters. The three
most common being '(', ')', and '_'.
These instances are removed.

Signed-off-by: Ron Stone <ronald.stone@windriver.com>
Change-Id: Id43a9337ffcd505ccbdf072d7b29afdb5d2c997e
2023-03-01 11:19:04 +00:00

5.5 KiB
Raw Blame History

Vault Server Certificate

integrates open source Vault containerized security application (Optional) into the solution.

Vault is a containerized secrets management application that provides encrypted storage with policy-based access control and supports multiple secrets storage engines and auth methods.

Refer to Vault Secret and Data Management <vault-secret-and-data-management-security-index> for details about Vault installation and configuration.

Accessing Vault is secured by HTTPS. Vault server certificate and the Root certificate from which the server certificate is generated are stored in Kubernetes secrets in Vault namespace.

  • Vault-ca: the Vault Root certificate
  • Vault-server-tls: the Vault server certificate

The client that accesses Vault server verifies Vault server certificate with vault-ca Root certificate. So the client needs to be configured to trust vault-ca Root certificate.

In section Configure Vault Using the Vault REST API <configure-vault>, there are examples using curl to access Vault services.

Install Vault server certificate

By default, the Root certificate and key are automatically created and the Vault server certificate is generated from the Root certificate during the Vault app application.

The Root certificate has 10 years validity while the server certificate has 3 month validity.

Update/Renew Vault certificates

Warning

Vault certificates are not auto renewed. They have to be updated manually by updating the secrets from the new certificate files.

Refer to Create Certificates Locally using openssl <create-certificates-locally-using-openssl> on how to generate certificate using openssl in general.

The following procedure is an example of the steps to generate new Vault server certificate from the existing Root certificate using openssl and update corresponding secret for Vault to use the new certificate.

The existing Root has 10 years validity so the example below is to renew the Vault server certificate from it.

  1. Retrieve Vault Root certificate and private key from secret to files:

    ~(keystone_admin)]$ mkdir /home/sysadmin/vault_ca_cert
~(keystone_admin)]$ echo $(kubectl get secrets -n vault vault-ca -o jsonpath='{.data.tls\.crt}') | base64 --decode > /home/sysadmin/vault_ca_cert/vault_ca_cert.pem
~(keystone_admin)]$ echo $(kubectl get secrets -n vault vault-ca -o jsonpath='{.data.tls\.key}') | base64 --decode > /home/sysadmin/vault_ca_cert/vault_ca_key.pem

  2. Create and sign a server certificate and key:

    • Create the Server private key.

      ~(keystone_admin)]$ mkdir /home/sysadmin/vault_new_certs
~(keystone_admin)]$ openssl genrsa -out /home/sysadmin/vault_new_certs/vault-server-tls-key.pem 2048

    • Create the server certificate signing request (csr).

      Create a csr configuration file /home/sysadmin/vault_new_certs/extfile.cnf with the following content:

      [req]
prompt = no
x509_extensions = v3_req
distinguished_name = dn
[dn]
O = stx
[v3_req]
basicConstraints = critical, CA:FALSE
extendedKeyUsage = TLS Web Server Authentication, TLS Web Client Authentication
subjectAltName = @alt_names
[alt_names]
DNS.1 = sva-vault
DNS.2 = *.sva-vault-internal
DNS.3 = *.vault.pod.cluster.local
DNS.4 = sva-vault.vault
DNS.5 = sva-vault.vault.svc
DNS.6 = sva-vault.vault.svc.cluster.local
DNS.7 = sva-vault-active.vault.svc.cluster.local
IP.1 = 127.0.0.1

~(keystone_admin)]$ openssl req -new -key /home/sysadmin/vault_new_certs/vault-server-tls-key.pem -out /home/sysadmin/vault_new_certs/vault-server-tls.csr -config /home/sysadmin/vault_new_certs/extfile.cnf

    • Use the Root to sign the server certificate:

      ~(keystone_admin)]$ openssl x509 -req -in /home/sysadmin/vault_new_certs/vault-server-tls.csr -CA /home/sysadmin/vault_ca_cert/vault_ca_cert.pem -CAkey /home/sysadmin/vault_ca_cert/vault_ca_key.pem -CAcreateserial -out /home/sysadmin/vault_new_certs/vault-server-tls-cert.pem -days 365 -extensions v3_req -extfile /home/sysadmin/vault_new_certs/extfile.cnf

  3. Update vault-server-tls secret with the new vault server certificate:

    ~(keystone_admin)]$ kubectl create secret tls vault-server-tls --cert=/home/sysadmin/vault_new_certs/vault-server-tls-cert.pem --key=/home/sysadmin/vault_new_certs/vault-server-tls-key.pem --save-config --dry-run=client -n vault -o yaml | kubectl apply -f -

  4. Restart vault-manager, agent-injector and vault servers to use the new server certificate:

    ~(keystone_admin)]$ kubectl rollout restart statefulset sva-vault-manager -n vault
~(keystone_admin)]$ kubectl rollout restart deployment sva-vault-agent-injector -n vault

~(keystone_admin)]$ kubectl delete pod sva-vault-0 -n vault
~(keystone_admin)]$ kubectl delete pod sva-vault-1 -n vault
~(keystone_admin)]$ kubectl delete pod sva-vault-2 -n vault