-
-
Save get2arun/75f706976bde2251f039e8c9f5af4612 to your computer and use it in GitHub Desktop.
vault-tls-steps
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ oc logs pod/vault-f65cb7877-gmh9z | |
Error initializing listener of type tcp: error loading TLS cert: open /etc/certs/vault.pem: no such file or directory | |
================================================= | |
vault-tls setup | |
================================================= | |
blog : https://testdriven.io/blog/running-vault-and-consul-on-kubernetes/ | |
================================================== | |
INSTALL AND DIR STRUCTURE | |
==================================================== | |
$ mkdir $HOME/go | |
$ export GOPATH=$HOME/go | |
$ export PATH=$PATH:$GOPATH/bin | |
Next, install the SSL ToolKit: | |
$ go get -u github.com/cloudflare/cfssl/cmd/cfssl | |
$ go get -u github.com/cloudflare/cfssl/cmd/cfssljson | |
├── certs | |
│ ├── config | |
│ │ ├── ca-config.json | |
│ │ ├── ca-csr.json | |
│ │ └── vault-csr.json | |
└── vault | |
=========================================================== | |
Following the steps to create ca and vault key and pem files | |
=========================================================== | |
cat certs/config/ca-csr.json | |
{ | |
"hosts": [ | |
"cluster.local" | |
], | |
"key": { | |
"algo": "rsa", | |
"size": 2048 | |
}, | |
"names": [ | |
{ | |
"C": "CL", | |
"ST": "RM", | |
"L": "Santiago" | |
} | |
] | |
} | |
cat certs/config/ca-config.json | |
{ | |
"signing": { | |
"default": { | |
"expiry": "87600h" | |
}, | |
"profiles": { | |
"default": { | |
"usages": [ | |
"signing", | |
"key encipherment", | |
"server auth", | |
"client auth" | |
], | |
"expiry": "8760h" | |
} | |
} | |
} | |
} | |
cat certs/config/vault-csr.json ## In the host's list added the minishift ip | |
{ | |
"hosts": [ | |
"vault", | |
"127.0.0.1", | |
"192.168.xx.xx" | |
], | |
"key": { | |
"algo": "rsa", | |
"size": 2048 | |
}, | |
"names": [ | |
{ | |
"C": "CL", | |
"ST": "RM", | |
"L": "Santiago" | |
} | |
] | |
} | |
cfssl$ cfssl gencert -initca certs/config/ca-csr.json | cfssljson -bare certs/ca | |
2019/12/27 23:54:26 [INFO] generating a new CA key and certificate from CSR | |
2019/12/27 23:54:26 [INFO] generate received request | |
2019/12/27 23:54:26 [INFO] received CSR | |
2019/12/27 23:54:26 [INFO] generating key: rsa-2048 | |
2019/12/27 23:54:27 [INFO] encoded CSR | |
2019/12/27 23:54:27 [INFO] signed certificate with serial number 614428927684934858812592719940307578889967342863 | |
cfssl$ ls -l certs/ | |
total 20 | |
-rw-r--r-- 1 apurb apurb 985 Dec 27 23:54 ca.csr | |
-rw------- 1 apurb apurb 1679 Dec 27 23:54 ca-key.pem | |
-rw-r--r-- 1 apurb apurb 1159 Dec 27 23:54 ca.pem | |
drwxr-xr-x 2 apurb apurb 4096 Dec 27 23:52 config | |
drwxr-xr-x 2 apurb apurb 4096 Dec 27 23:37 vault | |
for Vault: | |
$ cfssl gencert \ | |
-ca=certs/ca.pem \ | |
-ca-key=certs/ca-key.pem \ | |
-config=certs/config/ca-config.json \ | |
-profile=default \ | |
certs/config/vault-csr.json | cfssljson -bare certs/vault | |
cfssl$ cfssl gencert \ | |
> -ca=certs/ca.pem \ | |
> -ca-key=certs/ca-key.pem \ | |
> -config=certs/config/ca-config.json \ | |
> -profile=default \ | |
> certs/config/vault-csr.json | cfssljson -bare certs/vault | |
2019/12/28 00:07:33 [INFO] generate received request | |
2019/12/28 00:07:33 [INFO] received CSR | |
2019/12/28 00:07:33 [INFO] generating key: rsa-2048 | |
2019/12/28 00:07:33 [INFO] encoded CSR | |
2019/12/28 00:07:33 [INFO] signed certificate with serial number 548062694835770430502296617561455400237122881553 | |
================================================== | |
create secret | |
=================================================== | |
oc create secret generic vault \ | |
--from-file=certs/ca.pem \ | |
--from-file=certs/vault.pem \ | |
--from-file=certs/vault-key.pem | |
cfssl$ oc get secrets vault -o yaml | |
apiVersion: v1 | |
data: | |
ca.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLakNDQWhLZ0F3SUJBZ0lVYTUveUxiQkhqaU1ad25vNW14RUFVSU41bFE4d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0xURUxNQWtHQTFVRUJoTUNRMHd4Q3pBSkJnTlZCQWdUQWxKTk1SRXdEd1lEVlFRSEV3aFRZVzUwYVdGbgpiekFlRncweE9URXlNamd3TWpRNU1EQmFGdzB5TkRFeU1qWXdNalE1TURCYU1DMHhDekFKQmdOVkJBWVRBa05NCk1Rc3dDUVlEVlFRSUV3SlNUVEVSTUE4R0ExVUVCeE1JVTJGdWRHbGhaMjh3Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNwbzFSbkNJZ3pycnV4QW1XZW9jeFBYM1hFVjdSV3ZTenZjalJhNUF2SwpkZUhJdFYwckdsdlJGVHk3L2RoY3hVcnYyaGFBcVFWdDAvMkhtUEVkQzFpQWNRYVVaczJaSXU5TGFLQ1dIOTJICnhQODlCeWlpRytWaisybTV0MStndjVHb1NSclE2Z0xIZHNHNkp1WGs4NzFicGpLOHBWQmJCRDU0aC9HK0tIT2MKcFRRaDIyZXpJcWdiYlFwbWVIL2l4SlpLVkV1R2pJbnl2RXNwU0FjYm8rdHNOMXFLSTVWbyt1dld0dzhTWVZmNApQY0MwbW5FMUhCZUZJM3V1WCttK2JRVXFaMC9QMGIzTjEvcFNJcFExUmxlaVY0clJnYU4waGU1Ykd1WGNNMG1uCmpJalhTK0QzMHhXK3lYTnp3MEFROEVUL2tJZ1NlREM0bFpRRGhrYmpPK3lYQWdNQkFBR2pRakJBTUE0R0ExVWQKRHdFQi93UUVBd0lCQmpBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJTQXNYU2h5MkhpaEpLYgpzeEhyZGxhMjh2azZKakFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZFBIb2tCSzJjRy9wc2h1eFJFaXlvQWlaCi9XUDlTK1VBVERqVHVjOUh4eng3UjAxTVFUeURuY2xVQjVITy90NERXcXBzM0x4TUJhTENIWFVtMEw0SmoxL0IKRHA3TUFEazFJRHJtZkxYMXExRkNZd2crbTNkU25NVmQ0RjE4TGk5TXhmUm0vMGFFdnJpOVltbnNZNmJ1SUdxdwpOT0Y2L3dHc0lPMkdQV2lsSHozUzVvbU5ETEpxY1NyQnVRMlQvQTJHeVpOeGVKRWNFQ25RQXU2MFZoZUNUdzh2ClhYc1JvVDlEU085cGFvSnJhTUswd1pDbFcwTlB3SnV1SVlMOU9rVm9rYkpxVk5SNlFFUG5xUldBcTZDSTJYQm4KWVp5S29zbFc4bGhzOWQwVU50SnJSNnEyS3NYaWlTMy9XSjRQVHBNTWI0UzhsSjh0RkwyZ2pQa0dkbmdvWkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== | |
vault-key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdjVGekVVcmxKb2NvQ1FlM05RcEV6ZEloelVqWUVkbFlEdnZlRE9uWi8ydW9jTEtqCjI5a0NkUUExQktrbXh4bDZ5RjVlTlE5VndTbGlLWFduZE1LSFpmaXBCZnhNN3BFY1dNR3pWVzNsYnlFUzN0QlQKNEhXeFlBQzdncTFhV0gwNmRrRFVURTJzcUpvSEY2L09pZXpPd1hmQmFUV2d4QUxsTEw0cE1ENzVhVmFCbUJFZgpERjlSSXpjbFo2M1FzMURJbCtVQ3hpTHdQcXp0SjArMEhGWUwxVDdydHpGKzVRVEpmL09PQ1pUS05XT2xlbkhFCm8reWs4SGt3M3RTekpSTXRBRlJJbUVDTjgxT04vckNoQ0ZLL0ZiM3BHYzF1TDRRMVd1SEExai81bXROVFdHY3gKdDREUUkrdkVWZHFMeDQxQThjZGJMdXlNQVY0MHZLQlQwWExBRVFJREFRQUJBb0lCQUhMSkQxNnNOdFE0SmdnTApKSDdXa1ZXV2RJU1NBazNub25rUCtBUmExekhSNjFMajU0VWk2Zkw3VmNsZUpZc2xQRW4xS1pPM2haWEJXejBtCmIxbHAra0ZpbHJ5c2FkaUZBS3c2SEYrekFzZnMxR2JJQTRvNld6Y0FHVnI2em1pNVdKOWt4eENWZGtCc1VwV2gKMVNzVnh1bHIvV3N5SkF0dkJLMGpvSUIxSzNNdXhmaGdkeHBldWF2VDJoYkplRUpOTi9naC8yYmg2bU9Jd1hKeQp0Z1FKRk1iUHZ2aVpJN2V4SGQwbDVxMGNvNm9vY3h1UXVzVUs3cWJxUnllQWlPN2FXR3RUam15ZThQLy8wWUJJCmRibEtjQTV5OVFLNTV6Nk1YU3VTc25xeVYwTnBGUkFDNm9ieW9aRDZLU0F5Z3RxbkhVYmRyRElyenlnVHFlbnkKbjl0NHcwRUNnWUVBMlpoaHY1Q0JrRVRsMTBpNVZER21HdVdRdVJSaFh2SkZTYmdEdVMvb2JqaXlsRlA5UGY4YgpqRW9DdG5taXQxT3FubUtWZ3BYOXVGUUlqdXpxVTFrK3NSNnUraTUrc2xtRGF0dUIzSWNGTnRaWXlBOUdCWmNMCmxQWkh6REVkSEFGM0hHVVVZc1lhZUhiSlA1TytSYnNzem9MK2JyYzhmaFl5anMwU2s5RVBzcWtDZ1lFQTRXRVYKcXd4WjJmYW9HZnV6MFBOTWRsQngwcFdBQjJjWmlnM3V0VFdrM0MwbS9XQWpyN0xOV0x1WFZkN1lPNzBOUjRDUApETGtNcjZVbVpoTWM3V0lBeDVqSnV2ZjRTRFFhUnJFd2RtaE90QkhzaVBwUkFBTTgxMk9LSlhvenk4d0MrL0JLCnprNFRKZjhidGtGMjB2aXlGOWZMb3FCVDlvQ3N6OW1OL0dnKzZ5a0NnWUJpNkk5V0ludWlkbzc3WXdWTExoNVIKRDVUUGJHSXVaSFgyWW56ZXl0WWVkQXRJdlR6WjE0SlFMTHc2OGVOeTdjY2FvN2xPV0p1eUZCQ24xeTFVb2JhTAprR1Q5Ti9GRFpNa0Y0NjJON3BvQ0tVREYvNXRXb3lnU21EaGVxdHlPaEdQK05qd2tBZVM2YVZSbFgrVVhrVk4yCnM3aXYzdjdTV1lpMXZLWDdKd2E1c1FLQmdCSnV6a2JmQzdvMzRpZTkza2NJbndoT0xBRDlHU3VCMHlUblhzNlQKUkpoOVdPTUFLZXNFeEthdE1RTms1bXA4VzhtdFNnWFFYS2xBNkpNUW5SME5GdU04SzhPTzVFK0RjMkswdXpIego5ZnZrTzJRNGxNZGJmRzVoUmJzcTgzR0hqZmJ0QURFL1VYR2FHN29jUUl1Z3EzQW54Zy9XN1FjTUh4WWd4T3dQCjJwV0JBb0dBWXg1bGZOdUF3MTNoaHlWdEtvb0pzNXR6TEpvS0pLQjI0NGc2WHVFUnl1eFcyaVZqcGRjN0M5djgKTDk5Q3VyQmtxbTAyVjI1elp0QjFrSGNyZkNWSVFVRFIxNmdTMTNtd2VuREhHNmZGeEczdWQ3c0J6cU85WWM5RwpuNFdSdUhhRVluQVpnOUNnMVZseERaTTlzWEhTVFNWbDVhN1g4M1pRdHp4VUVSYm4xbVU9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== | |
vault.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURaRENDQWt5Z0F3SUJBZ0lVWC8vN01EQ1JaVjE3NmJaNG5BMy9uazRhaUJFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0xURUxNQWtHQTFVRUJoTUNRMHd4Q3pBSkJnTlZCQWdUQWxKTk1SRXdEd1lEVlFRSEV3aFRZVzUwYVdGbgpiekFlRncweE9URXlNamd3TXpBek1EQmFGdzB5TURFeU1qY3dNekF6TURCYU1DMHhDekFKQmdOVkJBWVRBa05NCk1Rc3dDUVlEVlFRSUV3SlNUVEVSTUE4R0ExVUVCeE1JVTJGdWRHbGhaMjh3Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUMva1hNUlN1VW1oeWdKQjdjMUNrVE4waUhOU05nUjJWZ08rOTRNNmRuLwphNmh3c3FQYjJRSjFBRFVFcVNiSEdYcklYbDQxRDFYQktXSXBkYWQwd29kbCtLa0YvRXp1a1J4WXdiTlZiZVZ2CklSTGUwRlBnZGJGZ0FMdUNyVnBZZlRwMlFOUk1UYXlvbWdjWHI4Nko3TTdCZDhGcE5hREVBdVVzdmlrd1B2bHAKVm9HWUVSOE1YMUVqTnlWbnJkQ3pVTWlYNVFMR0l2QStyTzBuVDdRY1ZndlZQdXUzTVg3bEJNbC84NDRKbE1vMQpZNlY2Y2NTajdLVHdlVERlMUxNbEV5MEFWRWlZUUkzelU0MytzS0VJVXI4VnZla1p6VzR2aERWYTRjRFdQL21hCjAxTllaekczZ05BajY4UlYyb3ZIalVEeHgxc3U3SXdCWGpTOG9GUFJjc0FSQWdNQkFBR2pmREI2TUE0R0ExVWQKRHdFQi93UUVBd0lGb0RBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVApBUUgvQkFJd0FEQWRCZ05WSFE0RUZnUVVSRFFDZkJMTkdEcko4YnE4Nk1wS3lzTWZMend3SEFZRFZSMFJCQlV3CkU0SUZkbUYxYkhTSEJIOEFBQUdIQk1Db0tsMHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSjFORU52UGpyQnoKZTFtZGZKb3BRZk1FTWNHSDdyV1lPckllYkQxbXlzS1U4ci82ZzVSSURBc0FiNnZ6SzBoQ25GMVB0K1Z6Rm8wOApsWUoxN1dMdjdlODZVSHg3UGNHdWxUaWloVVVzNFJXZlRISnhVVkgxdjA3M2xZUk4rNVZsemdwN2VaVG0zVld6CkpEbSt3dzZzdGJzSlFJcFV4L2dFZmtnd2EzUFhCTVF0dVlOSmpIaDVZUEFTcVYydDNwV2xMMkVXdDczQWIyN1QKMGJBRjNVMWxVb0huekx0dTJ5ZzBFVFM4UUZFbkpaUWxzNlV0Z05NSnZ1THRxUmxNK1M2THpETklDQTUyWlpqQgpKK3lnTU9FN01JOHBkYmdDQmRvQVBzQVJsQW5YQmczOGZJK2RNc3lmeGJQaUlpdDRRM3JDN1dqSXR2YmhJS1l6CjV3Tmt4NCtWTzBjPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== | |
kind: Secret | |
metadata: | |
creationTimestamp: 2019-12-28T03:17:09Z | |
name: vault | |
namespace: vault-demo | |
resourceVersion: "47312" | |
selfLink: /api/v1/namespaces/vault-demo/secrets/vault | |
uid: 889baf58-2920-11ea-8aa3-525400f815dd | |
type: Opaque | |
deployment.yaml | |
================================================= | |
kind: Deployment | |
apiVersion: apps/v1 | |
metadata: | |
labels: | |
app: vault | |
name: vault | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: vault | |
template: | |
metadata: | |
labels: | |
app: vault | |
spec: | |
serviceAccountName: vault-auth | |
containers: | |
- image: 172.30.1.1:5000/vault-demo/vault:1.3.1 | |
name: vault | |
ports: | |
- containerPort: 8200 | |
name: vaultport | |
protocol: TCP | |
args: | |
- server | |
- -log-level=debug | |
env: | |
- name: SKIP_SETCAP | |
value: 'true' | |
- name: SKIP_CHOWN | |
value: 'true' | |
- name: VAULT_LOCAL_CONFIG | |
valueFrom: | |
configMapKeyRef: | |
name: vault-config | |
key: vault-config | |
volumeMounts: | |
- name: vault-file-backend | |
mountPath: /vault/file | |
readOnly: false | |
volumes: | |
- name: vault-file-backend | |
persistentVolumeClaim: | |
claimName: vault-file-backend | |
- name: vault | |
secret: | |
secretName: vault |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment