Support for PKI secrets engine

[rvojcik]

Hi,

thank you all for your great project. We are using it on number of clusters in our infrastructure. Thanx again for adding support for Approle auth, it's great !

I facing now little challenge. We are using Vault as CA for number of applications which needs client certificates so we have number of Intermediate CAs in vault and generating signed certificates very easily.

I will be great if the secrets-manager have support for PKI secrets engine. I have workaround already so it's just kind of feature request which can simplify my setup and maybe helps someone.

• https://www.vaultproject.io/docs/secrets/pki
• https://www.vaultproject.io/api/secret/pki

For PKI it's not just secret but always a certificate. Secrets manager should have different behaviour for this

• checking validity of the certificate (if it's not close to expiration)
• [optional] check if certificate is not revoked
• if certificate missing/close to expiration/revoked request new from vault and put into k8s secret

From configuration point of view, user shoud provide following information (in resource object)

• secret engine path (it determines CA which sign the certificate)
• common name of the certificate
• [optional] TTL of the certificate
• And few other optional attributes https://www.vaultproject.io/api/secret/pki#generate-certificate

[markAcomm]

May I suggest you look at cert-manager which is referenced on this project's home page? It sounds like it is designed to do what you are looking for.

This tool is great for what it was designed for and we use it quite a lot, but the suggested features are a bit far afield from its primary purpose. Yes, I understand the rationale it may be a general purpose Vault-K8s secrets bridge, but certificates have a whole new set of requirements to consider.

[rvojcik]

@markAcomm thx that's great. I didn't know that cert-manager support vault already.