Vault Server Certificate

StarlingX integrates open source Vault containerized security application (Optional) into the StarlingX solution.

Vault is a containerized secrets management application that provides encrypted storage with policy-based access control and supports multiple secrets storage engines and auth methods.

Refer to Vault Secret and Data Management for details about Vault installation and configuration.

Accessing Vault is secured by HTTPS. Vault server certificate and the Root CA certificate from which the server certificate is generated are stored in Kubernetes secrets in Vault namespace.

  • Vault-ca: the Vault Root CA certificate

  • Vault-server-tls: the Vault server certificate

The client that accesses Vault server verifies Vault server certificate with vault-ca Root CA certificate. So the client needs to be configured to trust vault-ca Root CA certificate.

In section Configure Vault Using the Vault REST API, there are examples using curl to access Vault services.

Install Vault server certificate

By default, the Root CA certificate and key are automatically created and the Vault server certificate is generated from the Root CA certificate during the Vault app application.

The Root CA certificate has 10 years validity while the server certificate has 3 month validity.

Update/Renew Vault certificates

Warning

Vault certificates are not auto renewed. They have to be updated manually by updating the secrets from the new certificate files.

Refer to Create Certificates Locally using openssl on how to generate certificate using openssl in general.

Procedure

The following procedure is an example of the steps to generate new Vault server certificate from the existing Root CA certificate using openssl and update corresponding secret for Vault to use the new certificate.

The existing Root CA has 10 years validity so the example below is to renew the Vault server certificate from it.

  1. Retrieve Vault Root CA certificate and private key from secret to files:

    ~(keystone_admin)]$ mkdir /home/sysadmin/vault_ca_cert
    ~(keystone_admin)]$ echo $(kubectl get secrets -n vault vault-ca -o jsonpath='{.data.tls\.crt}') | base64 --decode > /home/sysadmin/vault_ca_cert/vault_ca_cert.pem
    ~(keystone_admin)]$ echo $(kubectl get secrets -n vault vault-ca -o jsonpath='{.data.tls\.key}') | base64 --decode > /home/sysadmin/vault_ca_cert/vault_ca_key.pem
    
  2. Create and sign a server certificate and key:

    • Create the Server private key.

      ~(keystone_admin)]$ mkdir /home/sysadmin/vault_new_certs
      ~(keystone_admin)]$ openssl genrsa -out /home/sysadmin/vault_new_certs/vault-server-tls-key.pem 2048
      
    • Create the server certificate signing request (csr).

      Create a csr configuration file /home/sysadmin/vault_new_certs/extfile.cnf with the following content:

      [req]
      prompt = no
      x509_extensions = v3_req
      distinguished_name = dn
      [dn]
      O = stx
      [v3_req]
      basicConstraints = critical, CA:FALSE
      extendedKeyUsage = TLS Web Server Authentication, TLS Web Client Authentication
      subjectAltName = @alt_names
      [alt_names]
      DNS.1 = sva-vault
      DNS.2 = *.sva-vault-internal
      DNS.3 = *.vault.pod.cluster.local
      DNS.4 = sva-vault.vault
      DNS.5 = sva-vault.vault.svc
      DNS.6 = sva-vault.vault.svc.cluster.local
      DNS.7 = sva-vault-active.vault.svc.cluster.local
      IP.1 = 127.0.0.1
      
      ~(keystone_admin)]$ openssl req -new -key /home/sysadmin/vault_new_certs/vault-server-tls-key.pem -out /home/sysadmin/vault_new_certs/vault-server-tls.csr -config /home/sysadmin/vault_new_certs/extfile.cnf
      
    • Use the Root CA to sign the server certificate:

      ~(keystone_admin)]$ openssl x509 -req -in /home/sysadmin/vault_new_certs/vault-server-tls.csr -CA /home/sysadmin/vault_ca_cert/vault_ca_cert.pem -CAkey /home/sysadmin/vault_ca_cert/vault_ca_key.pem -CAcreateserial -out /home/sysadmin/vault_new_certs/vault-server-tls-cert.pem -days 365 -extensions v3_req -extfile /home/sysadmin/vault_new_certs/extfile.cnf
      
  3. Update vault-server-tls secret with the new vault server certificate:

    ~(keystone_admin)]$ kubectl create secret tls vault-server-tls --cert=/home/sysadmin/vault_new_certs/vault-server-tls-cert.pem --key=/home/sysadmin/vault_new_certs/vault-server-tls-key.pem --save-config --dry-run=client -n vault -o yaml | kubectl apply -f -
    
  4. Restart vault-manager, agent-injector and vault servers to use the new server certificate:

    ~(keystone_admin)]$ kubectl rollout restart statefulset sva-vault-manager -n vault
    ~(keystone_admin)]$ kubectl rollout restart deployment sva-vault-agent-injector -n vault
    
    ~(keystone_admin)]$ kubectl delete pod sva-vault-0 -n vault
    ~(keystone_admin)]$ kubectl delete pod sva-vault-1 -n vault
    ~(keystone_admin)]$ kubectl delete pod sva-vault-2 -n vault