• HashiCorp Developer

  • HashiCorp Cloud Platform
  • Terraform
  • Packer
  • Consul
  • Vault
  • Boundary
  • Nomad
  • Waypoint
  • Vagrant
Vault
  • Install
  • Tutorials
  • Documentation
  • API
  • Try Cloud(opens in new tab)
  • Sign up
Vault Home

Documentation

Skip to main contentOverview
  • What is Vault?
  • Use Cases

  • Browser Support
  • Installing Vault

  • Vault Integration Program
  • Vault Interoperability Matrix
  • Troubleshoot

    • Overview
      • Overview
      • Agent Injector vs. Vault CSI Provider
        • Overview
        • Running Vault
        • Enterprise Licensing
        • Running Vault on OpenShift
        • Configuration
        • Terraform
          • Overview
          • Development
          • Standalone with Load Balanced UI
          • Standalone with TLS
          • Standalone with Audit Storage
          • External Vault
          • Using Kubernetes Auth Method
          • HA Cluster with Consul
          • HA Cluster with Raft
          • HA Enterprise Cluster with Raft
          • HA Enterprise DR Clusters with Raft
          • HA Enterprise Performance Clusters with Raft
          • Vault Agent Injector TLS Configuration
          • Vault Agent Injector TLS with Cert-Manager





  • Glossary


  • Resources

  • Tutorial Library
  • Certifications
  • Community Forum
    (opens in new tab)
  • Support
    (opens in new tab)
  • GitHub
    (opens in new tab)
  1. Developer
  2. Vault
  3. Documentation
  4. Platforms
  5. Kubernetes
  6. Helm Chart
  7. Examples
  8. Vault Agent Injector TLS Configuration
  • Vault
  • v1.11.x
  • v1.10.x
  • v1.9.x
  • v1.8.x
  • v1.7.x
  • v1.6.x
  • v1.5.x
  • v1.4.x

»Vault Agent Injector TLS Configuration

Important Note: This chart is not compatible with Helm 2. Please use Helm 3.6+ with this chart.

The following instructions demonstrate how to manually configure the Vault Agent Injector with self-signed certificates.

Create a Certificate Authority (CA)

First, create a private key to be used by our custom Certificate Authority (CA):

$ openssl genrsa -out injector-ca.key 2048

Next, create a certificate authority certificate:

Important Note: Values such as days (how long the certificate is valid for) should be configured for your environment.

$ openssl req \
   -x509 \
   -new \
   -nodes \
   -key injector-ca.key \
   -sha256 \
   -days 1825 \
   -out injector-ca.crt \
   -subj "/C=US/ST=CA/L=San Francisco/O=HashiCorp/CN=vault-agent-injector-svc"

Create Vault Agent Injector Certificate

Next we can create a certificate and key signed by the certificate authority generated above. This certificate and key will be used by the Vault Agent Injector for TLS communications with the Kubernetes API.

First, create a private key for the certificate:

$ openssl genrsa -out tls.key 2048

Next, create a certificate signing request (CSR) to be used when signing the certificate:

$ openssl req \
   -new \
   -key tls.key \
   -out tls.csr \
   -subj "/C=US/ST=CA/L=San Francisco/O=HashiCorp/CN=vault-agent-injector-svc"

After creating the CSR, create an extension file to configure additional parameters for signing the certificate.

Important Note: The alternative names for the certificate must be configured to use the name of the Vault Agent Injector Kubernetes service and namespace where its created.

In this example the Vault Agent Injector service name is vault-agent-injector-svc in the vault namespace. This uses the pattern <k8s service name>.<k8s namespace>.svc.cluster.local.

$ cat <<EOF >csr.conf
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = vault-agent-injector-svc
DNS.2 = vault-agent-injector-svc.vault
DNS.3 = vault-agent-injector-svc.vault.svc
DNS.4 = vault-agent-injector-svc.vault.svc.cluster.local
EOF

Finally, sign the certificate:

Important Note: Values such as days (how long the certificate is valid for) should be configured for your environment.

$ openssl x509 \
  -req \
  -in tls.csr \
  -CA injector-ca.crt \
  -CAkey injector-ca.key \
  -CAcreateserial \
  -out tls.crt \
  -days 1825 \
  -sha256 \
  -extfile csr.conf

Configuration

Now that a certificate authority and a signed certificate have been created, we can now configure Helm and the Vault Agent Injector to use them.

First, create a Kubernetes secret containing the certificate and key created above:

Important Note: This example assumes the Vault Agent Injector is running in the vault namespace.

$ kubectl create secret generic injector-tls \
    --from-file tls.crt \
    --from-file tls.key \
    --namespace=vault

Next, base64 encode the certificate authority so Kubernetes can verify the authenticity of the certificate:

$ export CA_BUNDLE=$(cat injector-ca.crt | base64)

Finally, install the Vault Agent Injector with the following custom values:

$ helm install vault hashicorp/vault \
  --namespace=vault \
  --set="injector.certs.secretName=injector-tls" \
  --set="injector.certs.caBundle=${CA_BUNDLE?}"
Edit this page on GitHub

On this page

  1. Vault Agent Injector TLS Configuration
  2. Create a Certificate Authority (CA)
  3. Create Vault Agent Injector Certificate
  4. Configuration
Give Feedback(opens in new tab)
  • Certifications
  • System Status
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
  • Trade Controls
  • Give Feedback(opens in new tab)