Open bbucko opened 1 year ago
kschoche
commented
1 year ago Hi @bbucko - Thanks for filing this issue,
We currently have fields defined as part of the VaultConnection custom resource under Spec.tlsServerName/caCertSecretRef here, which I think should work for this, unless I'm missing something in your request.
Can you take a look at that and see if it fits your use case?
If not, could you point out what it is missing?
Cheers,
~Kyle
bbucko
commented
1 year ago Hi, caCertSecretRef seems like a way to define CA Certificate but I want to additionally define fields that would act as https://developer.hashicorp.com/vault/docs/platform/k8s/injector/annotations#vault-hashicorp-com-client-cert and https://developer.hashicorp.com/vault/docs/platform/k8s/injector/annotations#vault-hashicorp-com-client-key. Unless there's some "secret" field I'm missing, it's not possible to configure TLS Config to pick up client cert/key. I think that we could potentially use environment variables to define both and point them to a mounted secrets in the container but Chart does not allow to do it at the moment (I think there's a separate issue for fixing this: https://github.com/hashicorp/vault-secrets-operator/issues/287).
nia-potato
commented
9 months ago hey @bbucko did you get this resolved at last?
bbucko
commented
9 months ago Nah, we switched to a diffeent secrets management system.
huyquanha
commented
2 weeks ago Hello 👋 I'm having the same issue. As mentioned caCertSecretRef seems to only contain the CA certificate. How would we define a client key and a client certificate in the TLS config, so that we can enable mTLS on the Vault server?
Aurelian-Shuttleworth
commented
3 days ago I am having the same issue, we secure vault ingress using mtls client certificates.
With the vault CSI drive this can be done using the '-vault-tls-client-cert' flag but I am unable to find a way to do this with the secret operator.
Without this, I will need to look into using external secrets operator instead as it has this feature, https://external-secrets.io/latest/provider/hashicorp-vault/#mutual-authentication-mtls
Is your feature request related to a problem? Please describe. Our instance of Vault is using mTLS and we are unable to private client cert/key. All attempts end up in 'remote error: tls: bad certificate'
Describe the solution you'd like Set of annotations that would make it possible to provide reference to a secret containing private key/cert which would be used to establish mTLS connection with external instance of Vault.
Describe alternatives you've considered Tried adding annotations (vault.hashicorp.com/tls-secret or vault.hashicorp.com/client-cert) but they are not working.