This repository facilitates the setup of an existing Vault cluster using the Vault provider.
-
Configuring an Approle: Learn what is an approle and how to set them up by reading this.
-
Configure cert-manager: In order to easily provision certificates in Kubernetes you should consider reading this documentation
-
Backup and Restore: Implement a backup strategy. Follow this guide: Backup and Restore.
-
Cluster Creation: Start by following the cluster creation instructions available here.
-
Required Files: Ensure you have these files, generated in the previous step:
intermediate-ca.pem
root-ca.pem
root-ca-key.pem
⚠️ Important: Theroot-ca-key.pem
file is highly sensitive. Securely store it and delete it immediately after use.
-
Vault Authentication:
-
Authenticate to the Vault instance using the root token:
export VAULT_TOKEN=<token> export VAULT_SKIP_VERIFY=true export VAULT_ADDR=https://bao.priv.cloud.ogenki.io:8200
-
ℹ️ Note: This guide does not include setting up an authentication system. It's recommended to use an identity provider instead of the root token for routine operations. Ensure the root token is securely stored.
-
-
Enable PKI and Set TTL:
-
Activate the PKI (Public Key Infrastructure) secrets engine and set the maximum Time To Live (TTL) to 10 years:
bao secrets enable pki bao secrets tune -max-lease-ttl=315360000 pki
-
-
Build and Import the Full Chain Bundle:
-
Create the bundle and import it into Vault:
cd terraform/openbao/management cat .tls/intermediate-ca.pem .tls/root-ca.pem .tls/intermediate-ca-key.pem > .tls/bundle.pem bao write pki/config/ca [email protected]/bundle.pem
-
-
Prepare
variables.tfvars
File:-
Example configuration:
domain_name = "priv.cloud.ogenki.io" pki_country = "France" pki_organization = "Ogenki" pki_domains = [ "cluster.local", "priv.cloud.ogenki.io" ] tags = { project = "cloud-native-ref" owner = "Smana" }
-
-
Execute OpentofuCommands:
-
Initialize and apply the Opentofu configuration:
tofu init tofu apply -var-file variables.tfvars
-
-
Test by Generating a Certificate:
-
Generate a certificate and verify it:
bao write -format=json pki_private_issuer/issue/pki_private_issuer common_name="foobar.priv.cloud.ogenki.io" ttl="720h" > data.json jq -r '.data.ca_chain[]' data.json > bao_ca_chain.pem jq -r '.data.certificate' data.json > foobar-cert.pem openssl verify -CAfile bao_ca_chain.pem foobar-cert.pem
The output should confirm
foobar-cert.pem: OK
.And clean these test files
rm data.json bao_ca_chain.pem foobar-cert.pem
-
Name | Version |
---|---|
terraform | ~> 1.4 |
aws | ~> 5.0 |
vault | ~> 4.0 |
Name | Version |
---|---|
vault | ~> 4.0 |
No modules.
Name | Type |
---|---|
vault_approle_auth_backend_role.cert_manager | resource |
vault_approle_auth_backend_role.snapshot | resource |
vault_auth_backend.approle | resource |
vault_mount.secret | resource |
vault_mount.this | resource |
vault_pki_secret_backend_intermediate_cert_request.this | resource |
vault_pki_secret_backend_intermediate_set_signed.this | resource |
vault_pki_secret_backend_issuer.this | resource |
vault_pki_secret_backend_key.this | resource |
vault_pki_secret_backend_role.this | resource |
vault_pki_secret_backend_root_sign_intermediate.this | resource |
vault_policy.admin | resource |
vault_policy.cert_manager | resource |
vault_policy.snapshot | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
allowed_cidr_blocks | List of CIDR blocks allowed to reach Vault's API | list(string) |
[ |
no |
domain_name | The domain name for which the certificate should be issued | string |
n/a | yes |
openbao_domain_name | Vault domain name (default: bao.<domain_name>) | string |
"" |
no |
pki_common_name | Common name to identify the Vault issuer | string |
"Private PKI - Vault Issuer" |
no |
pki_country | The country name used for generating certificates | string |
n/a | yes |
pki_domains | List of domain names that can be used within the certificates | list(string) |
[ |
no |
pki_key_bits | The number of bits of generated keys | number |
256 |
no |
pki_key_type | The generated key type | string |
"ec" |
no |
pki_max_lease_ttl | Maximum TTL (in seconds) that can be requested for certificates (default 3 years) | number |
94670856 |
no |
pki_mount_path | Vault Issuer PKI mount path | string |
"pki_private_issuer" |
no |
pki_organization | The organization name used for generating certificates | string |
n/a | yes |
No outputs.