Standalone Server with TLS
Important Note: This chart is not compatible with Helm 2. Please use Helm 3 with this chart.
This example can be used to set up a single server Vault cluster using TLS.
- Create key & certificate using Kubernetes CA
- Store key & cert into Kubernetes secrets store
- Configure helm chart to use Kubernetes secret from step 2
1. Create key & certificate using Kubernetes CA
There are three variables that will be used in this example.
Create a key for Kubernetes to sign.
Create a Certificate Signing Request (CSR).
Create a file
${TMPDIR}/csr.conf
with the following contents:Create a CSR.
Create the certificate
Create a file
${TMPDIR}/csr.yaml
with the following contents:CSR_NAME
can be any name you want. It's the name of the CSR as seen by KubernetesSend the CSR to Kubernetes.
If this process is automated, you may need to wait to ensure the CSR has been received and stored:
kubectl get csr ${CSR_NAME}
Approve the CSR in Kubernetes.
2. Store key, cert, and Kubernetes CA into Kubernetes secrets store
Retrieve the certificate.
If this process is automated, you may need to wait to ensure the certificate has been created. If it hasn't, this will return an empty string.
Write the certificate out to a file.
Retrieve Kubernetes CA.
Store the key, cert, and Kubernetes CA into Kubernetes secrets.
3. Helm Configuration
The below custom-values.yaml
can be used to set up a single server Vault cluster using TLS.
This assumes that a Kubernetes secret
exists with the server certificate, key and
certificate authority: