Vault Server Certificate

StarlingX integrates open source Vault containerized security application (Optional) into the StarlingX solution.

Vault is a containerized secrets management application that provides encrypted storage with policy-based access control and supports multiple secrets storage engines and auth methods.

For details about Vault installation and configuration, refer to Vault Secret and Data Management.

Accessing Vault is secured by HTTPS. Vault server certificate and the Root CA certificate from which the server certificate is generated are stored in Kubernetes secrets in Vault namespace.

  • vault-ca: the Vault Root CA certificate

  • vault-server-tls: the Vault server certificate

The client that accesses a Vault server verifies the Vault server certificate with vault-ca Root CA certificate. Therefore, the client needs to be configured to trust vault-ca Root CA certificate.

In the section Configure Vault Using the Vault REST API, there are examples using curl to access Vault services.

Install Vault server certificate

After the Root CA certificate and key have been automatically created, during Vault app application-apply, Cert Manager generates the Vault server certificate from the Root CA certificate.

The Root CA certificate has 10 years validity while the server certificate has 3 months validity.

Note

The vault-ca Root CA certificate is re-created when the Vault app is removed and re-applied.

Update/Renew Vault certificates

The Vault Root CA certificate is not auto renewed. It must be updated manually by updating the vault-ca secret from new certificate files. The Vault server certificate (vault-server-tls secret) is automatically renewed by Cert Manager, but the Vault server re-reads the certificates when prompted by a SIGHUP signal. In both the cases, it is necessary to send a SIGHUP signal to the Vault server processes to read the updated certificates before the old certificates expire. Send SIGHUP signal (1) to each of the Vault server processes using the following kubectl command:

POD=sva-vault-0
kubectl exec -n vault $POD -- pkill -1 -x vault

Refer to https://support.hashicorp.com/hc/en-us/articles/4417759906835-Replacing-the-TLS-certificate-and-key-on-a-running-Vault-cluster-without-requiring-a-restart-unseal.

For information on how to generate a Root CA certificate using openssl in general, see Create Certificates Locally using openssl. Refer to kubectl create secret tls --help to create a Kubernetes secret of type tls.

Note

After updating the CA certificate in vault-ca secret, it is necessary to delete the vault-server-tls secret that contains the Vault server certificate generated by Cert Manager. Cert Manager does not automatically renew certificate resources when the CA is changed. Refer to https://github.com/cert-manager/cert-manager/issues/5851.

After the Root CA is updated and Cert Manager regenerates the Vault server certificate, send a SIGHUP signal to prompt the Vault server process to load the new certificates.