Skip to content

Instantly share code, notes, and snippets.

@amcginlay
Last active February 10, 2023 09:49
Show Gist options
  • Save amcginlay/d537d83e1024a0a7bc3502648697a0e0 to your computer and use it in GitHub Desktop.
Save amcginlay/d537d83e1024a0a7bc3502648697a0e0 to your computer and use it in GitHub Desktop.

cert-manager + Vault + TLSPC

The following instructions have been tested using a KinD cluster and uses the Venafi Secrets Engine for HashiCorp Vault

install vault (dev mode)

helm repo add hashicorp https://helm.releases.hashicorp.com
helm -n vault install vault hashicorp/vault --create-namespace \
  --set "server.dev.enabled=true" \
  --set "server.extraArgs=-dev-plugin-dir=/vault/plugins/" \
  --set "server.volumes[0].name=plugins" \
  --set "server.volumeMounts[0].mountPath=/vault/plugins/" \
  --set "server.volumeMounts[0].name=plugins"

how to start session on vault pod

kubectl -n vault exec -it vault-0 -- sh
# use "exit" to close

test vault

# CLI - !!! requires session on vault-0 !!!
vault status
vault secrets list
vault write cubbyhole/test foo=bar
vault list cubbyhole
vault read cubbyhole/test

# UI - after port-forward, navigate to http://localhost:8200 (in dev mode password is "root")
kubectl -n vault port-forward vault-0 8200:8200

prepare venafi secrets engine plugin

# !!! requires session on vault-0 !!!
apikey=<YOUR_TLSPC_API_KEY>
release=0.12.1

cd /tmp/
wget https://github.com/Venafi/vault-pki-backend-venafi/releases/download/v${release}/venafi-pki-backend_v${release}_linux.zip
unzip venafi-pki-backend_v${release}_linux.zip 
sha256=$(sha256sum venafi-pki-backend| cut -d' ' -f1)
mv venafi-pki-backend /vault/plugins/

vault write sys/plugins/catalog/secret/venafi-pki-backend sha_256="${sha256}" command="venafi-pki-backend"
vault secrets enable -path=venafi-pki -plugin-name=venafi-pki-backend plugin

vault write venafi-pki/venafi/vaas apikey="${apikey}" zone="Built-In CA\\Built-In CA Template"
vault write venafi-pki/roles/vaas venafi_secret=vaas generate_lease=true store_by=serial store_pkey=true

configure cert-manager to use vault issuer

TBD

uninstall vault

helm -n vault uninstall vault
kubectl delete namespace vault
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment