[VaultPKISecret] Populate ca.crt from the vault issuing_ca

hashicorp / vault-secrets-operator

The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets natively from Kubernetes Secrets.

https://hashicorp.com

Other

438 stars 89 forks source link

[VaultPKISecret] Populate ca.crt from the vault issuing_ca #178

Closed djds closed 1 week ago

djds commented 1 year ago

Populate ca.crt from the vault issuing_ca field the Kubernetes secret created by VaultPKISecret if the target secret is of type kuberntes.io/tls. Many Kubernetes applications expect a CA to be located at that key and this would obviate the need for separate CA ConfigMaps or Secrets in many cases. This is especially useful because Vault works great as a cluster CA, but would also simplify the rollout of new trust anchors when the CA is updated or rotated.

nia-potato commented 1 year ago

I also have this requirement, and is blocking deployment, we cannot expect to not auto populate caCertSecret when rolling out vso to clusters.

tvoran commented 4 months ago

BTW, this can now be done using a template:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultPKISecret
metadata:
  name: example
spec:
  ...
  destination:
    name: pki1
    transformation:
      templates:
          ca.crt:
            text: |
              {{- printf "%s" (get .Secrets "issuing_ca") -}}

benashz commented 2 weeks ago

BTW, this can now be done using a template:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultPKISecret
metadata:
  name: example
spec:
  ...
  destination:
    name: pki1
    transformation:
      templates:
          ca.crt:
            text: |
              {{- printf "%s" (get .Secrets "issuing_ca") -}}

Indeed, secrets transformations should now be honoured for kuberntes.io/tls Secret type. That requires v0.7.0 or greater.