search

hashicorp / vault-secrets-operator

The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets natively from Kubernetes Secrets.
https://hashicorp.com
Other
471 stars 102 forks source link

Add support for keystores in VaultPKISecret #346

Open vlaborie opened 1 year ago

vlaborie commented 1 year ago

Hello,

Some apps need certificate stored in password protected PKCS12 keystore.

I currently use cert-manager Certificate with this config for creating password protected keystore.

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: certificate-example
spec:
  commonName: example
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: issuer
  keystores:
    pkcs12:
      create: true
      passwordSecretRef:
        key: password
        name: keycloak-pkcs12
  secretName: certificate-secret

That add a keystore.p12 and a truststore.p12 keys to the created Kubernetes secret which can be mount as Kubernetes volume.

Can you add PKCS12 keystores support to VaultPKISecret ?

Thank's.

negwu01 commented 8 months ago

Hi @vlaborie do you know if this has been added to Vault? I will like to use this PKCS12 in Java/Spring boot Application. Thanks

vlaborie commented 8 months ago

Hi @negwu01,

That hasn't been included to Vault to my knowledge.

As a workaround, i use an OpenJDK initContainers to create PKCS12 keystore and truststore from TLS secret created by VaultPKISecret:

      initContainers:
        - name: keystores-importer
          image: adoptopenjdk/openjdk11@sha256:496b9e399a3ae15fc673c9b7cf736b748292bef5ac8ec5063b469c51f4903e94
          imagePullPolicy: IfNotPresent
          env:
            - name: SSL_KEYSTORE_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: pkcs12
                  optional: false
          command: ['sh']
          args:
            - -c
            - >-
              openssl pkcs12 -export -name user -password env:SSL_KEYSTORE_PASSWORD -inkey /egress-tls/tls.key -in /egress-tls/tls.crt -certfile /egress-tls/issuing_ca -out /keystores/keystore.p12 &&
              keytool -importcert -noprompt -trustcacerts -file /egress-tls/issuing_ca -keystore /keystores/truststore.p12 -storepass "${SSL_KEYSTORE_PASSWORD}"
          volumeMounts:
            - mountPath: /egress-tls
              name: egress-tls
              readOnly: true
            - mountPath: /keystores
              name: keystores

With theses volumes (egress-tls is the name of the secret created by my VaultPKISecret manifest) :

      volumes:
        - name: egress-tls
          secret:
            defaultMode: 416
            optional: false
            secretName: egress-tls
        - name: keystores
          emptyDir:
            medium: Memory

This is the manifest for the VaultPKISecret:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultPKISecret
metadata:
  name: egress-tls
spec:
  mount: pki
  role: kubernetes
  commonName: appname
  format: pem
  privateKeyFormat: pkcs8
  destination:
    create: true
    type: "kubernetes.io/tls"
    name: egress-tls

With theses configuration, your PKCS12 keystore and truststore are availables in the keystores volumes.

negwu01 commented 7 months ago

Thanks indeed. I was also thinking along the lines of adding an OpenJDK in a dockerfile...then convert the .pem file etc. Will surely look at this option you sent me. New to kubernetes from docker compose. But I will look at it.