Vault as a CA for Kubernetes In-Cluster TLS Communication

Question

Pulumi · Accepted Answer

To set up HashiCorp Vault as a Certificate Authority (CA) for Kubernetes in-cluster TLS communication, you need to follow a multi-step process. This spans configuring Vault to issue certificates, integrating it with Kubernetes for authentication, and then configuring Kubernetes to use Vault-issued certificates for TLS.

Here's an outline of what you need to do:

1. **Set up Vault**: Install and initialize Vault if you haven't already.
2. **Configure Vault's PKI (Public Key Infrastructure) secrets engine**: This engine will act as a CA that can issue and revoke certificates.
3. **Create roles in Vault**: Define roles that map to Kubernetes services, which determines the permissions and attributes of the certificates issued.
4. **Integrate Vault with Kubernetes for authentication**: Configure Vault to authenticate requests from Kubernetes using the Kubernetes Service Account Token.
5. **Deploy workloads in Kubernetes**: These workloads should be configured to authenticate with Vault and use the issued certificates for TLS.

In the Pulumi program below, we'll cover the following:

- Setting up a Vault PKI secret engine to issue certificates.
- Configuring roles in Vault for Kubernetes services.
- Establishing a Kubernetes-Vault authentication method.
- Providing an example of how to consume these certificates in a Kubernetes deployment (you'll need to adapt this example to your specific application).

```python
import pulumi
import pulumi_vault as vault
import pulumi_kubernetes as kubernetes

# Step 1: Set up the Vault PKI secret engine
pki_secret_backend = vault.PkiSecretBackendConfigCa("pki-secret-backend",
    backend="pki",
    pem_bundle="your_PEM_encoded_CA_bundle") # This should contain your CA certificate and private key

# Step 2: Create a role in Vault that defines the permissions and attributes of the certificates
role = vault.PkiSecretBackendRole("example-role",
    backend="pki",
    allowed_domains=["example.service.cluster.local"], # The domains allowed by this role
    allow_subdomains=True,
    max_ttl="72h") # The maximum time-to-live for the certificate

# Step 3: Integrate Vault with Kubernetes for authentication
kubernetes_auth_backend = vault.KubernetesAuthBackendConfig("k8s-auth-backend",
    kubernetes_host="https://your.kubernetes.host.address", # The address of the Kubernetes API server
    kubernetes_ca_cert="your_kubernetes_ca_certificate", # The PEM-encoded CA certificate for your Kubernetes cluster
    token_reviewer_jwt="your_service_account_jwt_token") # The JWT token of the service account that will be reviewing the tokens

# Step 4: Deploy a Kubernetes service with injected Vault secret to use in TLS communication
# For this step, you would typically create Kubernetes deployments and services that use the certs from Vault

# Output the Vault role name that you can refer to later when configuring the Kubernetes service
pulumi.export("vault_role_name", role.name)
```

Please replace the placeholder values (`your_PEM_encoded_CA_bundle`, `your.kubernetes.host.address`, `your_kubernetes_ca_certificate`, `your_service_account_jwt_token`) with your actual values before running this program.

Once these Pulumi resources are created, you can configure your Kubernetes services to authenticate to Vault using service account tokens. Then, they can acquire TLS certificates issued by Vault. The specifics of this will depend on your applications and how they're set up to communicate with Vault.

Remember, for the Vault PKI integration to work, your Vault instance must be accessible from within your Kubernetes cluster. Ensure the proper network configurations, such as setting up firewall rules or VPC peering, to facilitate this communication.