Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow mTLS between VSO and external Vault instance #298

Open
bbucko opened this issue Jul 26, 2023 · 5 comments
Open

Allow mTLS between VSO and external Vault instance #298

bbucko opened this issue Jul 26, 2023 · 5 comments
Labels
enhancement New feature or request

Comments

@bbucko
Copy link

bbucko commented Jul 26, 2023

Is your feature request related to a problem? Please describe.
Our instance of Vault is using mTLS and we are unable to private client cert/key. All attempts end up in 'remote error: tls: bad certificate'

Describe the solution you'd like
Set of annotations that would make it possible to provide reference to a secret containing private key/cert which would be used to establish mTLS connection with external instance of Vault.

Describe alternatives you've considered
Tried adding annotations (vault.hashicorp.com/tls-secret or vault.hashicorp.com/client-cert) but they are not working.
@bbucko bbucko added the enhancement New feature or request label Jul 26, 2023
@kschoche
Copy link
Contributor

Hi @bbucko - Thanks for filing this issue,
We currently have fields defined as part of the VaultConnection custom resource under Spec.tlsServerName/caCertSecretRef here, which I think should work for this, unless I'm missing something in your request.
Can you take a look at that and see if it fits your use case?
If not, could you point out what it is missing?
Cheers,
~Kyle

@bbucko
Copy link
Author

bbucko commented Jul 26, 2023
edited
Loading

Hi,
caCertSecretRef seems like a way to define CA Certificate but I want to additionally define fields that would act as https://developer.hashicorp.com/vault/docs/platform/k8s/injector/annotations#vault-hashicorp-com-client-cert and https://developer.hashicorp.com/vault/docs/platform/k8s/injector/annotations#vault-hashicorp-com-client-key.
Unless there's some "secret" field I'm missing, it's not possible to configure TLS Config to pick up client cert/key.
I think that we could potentially use environment variables to define both and point them to a mounted secrets in the container but Chart does not allow to do it at the moment (I think there's a separate issue for fixing this: #287).

@nia-potato
Copy link

hey @bbucko did you get this resolved at last?

@bbucko
Copy link
Author

bbucko commented Jan 26, 2024

Nah, we switched to a diffeent secrets management system.

@huyquanha
Copy link

Hello 👋 I'm having the same issue. As mentioned caCertSecretRef seems to only contain the CA certificate. How would we define a client key and a client certificate in the TLS config, so that we can enable mTLS on the Vault server?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bbucko @kschoche @huyquanha @nia-potato