1. Vault as a CA for Kubernetes In-Cluster TLS Communication


    To set up HashiCorp Vault as a Certificate Authority (CA) for Kubernetes in-cluster TLS communication, you need to follow a multi-step process. This spans configuring Vault to issue certificates, integrating it with Kubernetes for authentication, and then configuring Kubernetes to use Vault-issued certificates for TLS.

    Here's an outline of what you need to do:

    1. Set up Vault: Install and initialize Vault if you haven't already.
    2. Configure Vault's PKI (Public Key Infrastructure) secrets engine: This engine will act as a CA that can issue and revoke certificates.
    3. Create roles in Vault: Define roles that map to Kubernetes services, which determines the permissions and attributes of the certificates issued.
    4. Integrate Vault with Kubernetes for authentication: Configure Vault to authenticate requests from Kubernetes using the Kubernetes Service Account Token.
    5. Deploy workloads in Kubernetes: These workloads should be configured to authenticate with Vault and use the issued certificates for TLS.

    In the Pulumi program below, we'll cover the following:

    • Setting up a Vault PKI secret engine to issue certificates.
    • Configuring roles in Vault for Kubernetes services.
    • Establishing a Kubernetes-Vault authentication method.
    • Providing an example of how to consume these certificates in a Kubernetes deployment (you'll need to adapt this example to your specific application).
    import pulumi import pulumi_vault as vault import pulumi_kubernetes as kubernetes # Step 1: Set up the Vault PKI secret engine pki_secret_backend = vault.PkiSecretBackendConfigCa("pki-secret-backend", backend="pki", pem_bundle="your_PEM_encoded_CA_bundle") # This should contain your CA certificate and private key # Step 2: Create a role in Vault that defines the permissions and attributes of the certificates role = vault.PkiSecretBackendRole("example-role", backend="pki", allowed_domains=["example.service.cluster.local"], # The domains allowed by this role allow_subdomains=True, max_ttl="72h") # The maximum time-to-live for the certificate # Step 3: Integrate Vault with Kubernetes for authentication kubernetes_auth_backend = vault.KubernetesAuthBackendConfig("k8s-auth-backend", kubernetes_host="https://your.kubernetes.host.address", # The address of the Kubernetes API server kubernetes_ca_cert="your_kubernetes_ca_certificate", # The PEM-encoded CA certificate for your Kubernetes cluster token_reviewer_jwt="your_service_account_jwt_token") # The JWT token of the service account that will be reviewing the tokens # Step 4: Deploy a Kubernetes service with injected Vault secret to use in TLS communication # For this step, you would typically create Kubernetes deployments and services that use the certs from Vault # Output the Vault role name that you can refer to later when configuring the Kubernetes service pulumi.export("vault_role_name", role.name)

    Please replace the placeholder values (your_PEM_encoded_CA_bundle, your.kubernetes.host.address, your_kubernetes_ca_certificate, your_service_account_jwt_token) with your actual values before running this program.

    Once these Pulumi resources are created, you can configure your Kubernetes services to authenticate to Vault using service account tokens. Then, they can acquire TLS certificates issued by Vault. The specifics of this will depend on your applications and how they're set up to communicate with Vault.

    Remember, for the Vault PKI integration to work, your Vault instance must be accessible from within your Kubernetes cluster. Ensure the proper network configurations, such as setting up firewall rules or VPC peering, to facilitate this communication.