Creating a cluster-issuer in cert-manager with Vault
Using Vault Kubernetes Authentication and PKI Secret
The vault and cert-manager official documents are pretty clear how cert-manager works with vault kubernetes auth and pki secret engine. In this article, we show how to create a ClusterIssurer in cert-manager.
Following my latest blog of vault ha in k8s, we first turn on kubernetes authentication (in line 6). Then we configure the k8s authentication with the default service account (in line 7) and define the binding of cert-manager service account and the vault k8s policy (in line 13). Note that we will create the cert-manager service account and namespace later.
Next step, we enable vault pki secret engine to create a self-signed CA with a domain name(in line 6 and line 8). In line 9 and 10, we config how clients can request/revoke certificates and what roles can access the pki secrets. In line 11 to 16, we define the pki polices.
Now we are ready to deploy cert-manager. The following gist shows the steps. In line 5~10, we use helm to deploy the current version of cert-manager. In line 12, we create a service account in the cert-manager namespace and export the service account token name. From line 16~33 is the cert-manager ClusterIssuer yaml file. In this section, it describes the vault pki and the kubernetes authentication. In line 34, we apply the cluster-issuer. If everything goes correctly, we will get the result in line 35~37.
Next, we can create certificates in k8s. Stay tuned.