updates

hashicorp/readme.md

@@ -2,4 +2,56 @@
 
 # Vault
 
-For the exact files I used during my video guide, refer to commit:
+For this tutorial, I use Kuberentes 1.17
+It's critical because we'll need certain [admission controllers](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) enabled.
+
+To get 1.17 for Linux\Windows, just use `kind` since you can create a 1.17 with admissions all setup.
+
+```
+kind create cluster --name vault --image kindest/node:v1.17.0@sha256:9512edae126da271b66b990b6fff768fbb7cd786c7d39e86bdf55906352fdf62
+```
+
+## TLS End to End Encryption
+
+See steps in `hashicorp/vault/tls/ssl_generate_self_signed.txt`
+You'll need to generate TLS certs (or bring your own)
+Create base64 strings from the files, place it in the `server-tls-secret.yaml` and apply it.
+Remember not to check-in your TLS to GIT :)
+
+## Deployment
+
+```
+kubectl create ns vault-example
+kubectl -n vault-example apply -f .\hashicorp\vault\server\
+```
+
+## Storage
+
+```
+kubectl -n vault-example get pvc
+```
+ensure vault-claim is bound, if not, `kubectl -n vault-example describe pvc vault-claim`
+ensure correct storage class is used for your cluster.
+if you need to change the storage class, deleve the pvc , edit YAML and re-apply
+
+## Initialising Vault
+
+```
+kubectl -n vault-example exec -it vault-example-0 vault operator init
+kubectl -n vault-example exec -it vault-example-0 vault operator unseal
+```
+
+## Depploy the Injector
+
+Injector allows pods to automatically get secrets from the vault.
+
+```
+kubectl -n vault-example apply -f .\hashicorp\vault\injector\
+```
+
+
+
+
+
+
+

hashicorp/vault/example-app/deployment.yaml

@@ -0,0 +1,27 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: app
+  labels:
+    app: vault-agent-demo
+spec:
+  selector:
+    matchLabels:
+      app: vault-agent-demo
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: vault-agent-demo
+    spec:
+      serviceAccountName: app
+      containers:
+      - name: app
+        image: jweissig/app:0.0.1
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: app
+  labels:
+    app: vault-agent-demo

hashicorp/vault/example-app/patch.yaml

@@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: app
+  labels:
+    app: vault-agent-demo
+spec:
+  selector:
+    matchLabels:
+      app: vault-agent-demo
+  replicas: 1
+  template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/tls-skip-verify: "true"
+        vault.hashicorp.com/agent-inject-secret-helloworld: "secret/helloworld"
+        vault.hashicorp.com/agent-inject-template-helloworld: |
+          {{- with secret "secret/helloworld" -}}
+          {
+            "username" : "{{ .Data.username }}",
+            "password" : "{{ .Data.password }}"
+          }
+          {{- end }}
+        vault.hashicorp.com/role: "myapp"
+      labels:
+        app: vault-agent-demo
+    spec:
+      serviceAccountName: app
+      containers:
+      - name: app
+        image: jweissig/app:0.0.1
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: app
+  labels:
+    app: vault-agent-demo

hashicorp/vault/injector/injector-deployment.yaml

@@ -32,7 +32,7 @@ spec:
             - name: AGENT_INJECT_LOG_LEVEL
               value: "info"
             - name: AGENT_INJECT_VAULT_ADDR
-              value: https://vault-example:8200
+              value: https://vault-example.vault-example.svc:8200
             - name: AGENT_INJECT_VAULT_IMAGE
               value: "vault:1.3.1"
             - name: AGENT_INJECT_TLS_AUTO

hashicorp/vault/injector/injector-mutating-webhook.yaml

@@ -1,4 +1,4 @@
-apiVersion: admissionregistration.k8s.io/v1
+apiVersion: admissionregistration.k8s.io/v1beta1
 kind: MutatingWebhookConfiguration
 metadata:
   name: vault-example-agent-injector-cfg
@@ -18,11 +18,3 @@ webhooks:
         apiVersions: ["v1"]
         resources: ["pods"]
     namespaceSelector:
-      matchExpressions:
-        - key: name
-          operator: In
-          values: 
-          - example-app
-    sideEffects: None
-    admissionReviewVersions:
-    - "v1"

hashicorp/vault/injector/kind.yaml

@@ -1,4 +0,0 @@
-
-# #https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/
-
-#kind create cluster --name vault --image kindest/node:v1.17.0@sha256:9512edae126da271b66b990b6fff768fbb7cd786c7d39e86bdf55906352fdf62 --config kind.yaml

hashicorp/vault/policies/app-policy.md

@@ -0,0 +1,15 @@
+# Create an App policy
+
+```
+kubectl -n vault-example exec -it vault-example-0 sh
+
+cat <<EOF > /home/vault/app-policy.hcl
+path "secret*" {
+  capabilities = ["read"]
+}
+EOF
+
+vault login
+vault policy write app /home/vault/app-policy.hcl
+
+```

hashicorp/vault/policies/example-secret.md

@@ -0,0 +1,11 @@
+# Create example secret
+
+```
+kubectl -n vault-example exec -it vault-example-0 sh
+
+vault login
+
+vault secrets enable -path=secret/ kv
+vault kv put secret/helloworld username=foobaruser password=foobarbazpass
+
+```

hashicorp/vault/policies/vault-enable-auth-k8s.md

@@ -0,0 +1,20 @@
+# Enable Kubernetes Vault Auth
+
+```
+kubectl -n vault-example exec -it vault-example-0 sh
+
+vault login
+vault auth enable kubernetes
+
+vault write auth/kubernetes/config \
+   token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
+   kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
+   kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+
+vault write auth/kubernetes/role/myapp \
+   bound_service_account_names=app \
+   bound_service_account_namespaces=vault-example \
+   policies=app \
+   ttl=1h
+
+```

hashicorp/vault/server/server-tls-secret.yaml

@@ -4,6 +4,6 @@ metadata:
   name: vault-example-tls-secret
 type: Opaque
 data:
-  vault-example.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLVENDQXhHZ0F3SUJBZ0lVUDFOZWNYQ3RMM3cvQVJsREdkWmJvV292Vm5jd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1VqRUxNQWtHQTFVRUJoTUNRVlV4RURBT0JnTlZCQWdUQjBWNFlXMXdiR1V4RWpBUUJnTlZCQWNUQ1UxbApiR0p2ZFhKdVpURVFNQTRHQTFVRUNoTUhSWGhoYlhCc1pURUxNQWtHQTFVRUN4TUNRMEV3SGhjTk1qQXdNakkyCk1EUXlNREF3V2hjTk1qRXdNakkxTURReU1EQXdXakJ1TVFzd0NRWURWUVFHRXdKVlV6RVBNQTBHQTFVRUNCTUcKVDNKbFoyOXVNUkV3RHdZRFZRUUhFd2hRYjNKMGJHRnVaREVUTUJFR0ExVUVDaE1LUzNWaVpYSnVaWFJsY3pFTwpNQXdHQTFVRUN4TUZWbUYxYkhReEZqQVVCZ05WQkFNVERYWmhkV3gwTFdWNFlXMXdiR1V3Z2dFaU1BMEdDU3FHClNJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURGbHdwekxwWkJScmpZNFJ6NExpci91bWlsUEFNbXVDVWEKVFY2TjQ1R2lSWVlMbk5hNmhkVW1vRmk3M3NzRFpiT1Q4eHE3eTJUZVI3eVZUV0FORUhodEViSFhNYXgrcnhoSApZYWQ3N2NpWGl1L1U3YXlUYk44QWVFTCtLc0UzU3F2OXpOK0E5QURXUjZlc01TSC9iRDY1dE1YRHBOU3F3dC9YClM4UkwrYldzbHEzY0hmT3VpeVg4NFRwUitONmNwUWNHNVZhNzd3Njltb2x2S21nM0xuZVRKM3EzUy9SeVJ4VjkKVXRWc21NTENwN3c1cVdOUStFcFdRb0xPQmFZTUpMbUZDWFM2YTRubTVld3dmaVFsOS9hd0NUVVVwWVR5UU1oOApnZU43NnEveExaTW51ZWE0Q3hkMEF2QTliK01KY24zZkc2TXN1N3MwbE9yTmVva2dSZ0VqQWdNQkFBR2pnZG93CmdkY3dEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0QKQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFVZERnUVdCQlNwaHV5VW5Ic0VYT0RkcXphNEhkU2kxZVlBZERBZgpCZ05WSFNNRUdEQVdnQlNwaWFWY1FvUEoybnpuRlgyZzZMMHhmWmR4empCWUJnTlZIUkVFVVRCUGdnMTJZWFZzCmRDMWxlR0Z0Y0d4bGdpMTJZWFZzZEMxbGVHRnRjR3hsTG5aaGRXeDBMV1Y0WVcxd2JHVXVjM1pqTG1Oc2RYTjAKWlhJdWJHOWpZV3lDQ1d4dlkyRnNhRzl6ZEljRWZ3QUFBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBa0VuTAozUnA0b1FNZGN3K0t3QnVONWo3MXBHTjZySXVwZGlTdlkraThJRzhqcVRiR1JqdEQyeFBuWUlja1pRakhTN2VvCnIrYWx5eC82S21oYm0wNzBROFdpdUgxZ2NuNVhqa1FJVW1qdDZLZ0F1QjBsdkdxUFlvZmV6TXVFdkoxTXEzUG0KMTcxa29oYktUME1sRFpzYXBGaHhtdnFIMDY0VHNjdTVrSVVVVGFINW1ZZkZhS0dNR0cvUGJLMWpCQkNwdTl5OApMZUVVeEMvbTFKbjh1M1hVZmRVMm0zaHZ1NnNmMVdrc0c2Sy9NQjI1ckxxZW1ZTjk3OWJQcGt5cnlBRkc4Um1WCkZ1VGl6cVc4UFA5aXNhNDdDUlpQelQ2YldDSndsc1MwT1JaWDcyRGRjODc0YzdXVDF1anFURWh0VWk4NEVlK0sKeElva25Gd1Z5Zno0YWwyWFlBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  vault-example.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVUVENDQXpXZ0F3SUJBZ0lVRU1JUSs4cFc3MDJjdzJUdFlYN2VmM2ZsUnYwd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1VqRUxNQWtHQTFVRUJoTUNRVlV4RURBT0JnTlZCQWdUQjBWNFlXMXdiR1V4RWpBUUJnTlZCQWNUQ1UxbApiR0p2ZFhKdVpURVFNQTRHQTFVRUNoTUhSWGhoYlhCc1pURUxNQWtHQTFVRUN4TUNRMEV3SGhjTk1qQXdNekF4Ck1ETXlOakF3V2hjTk1qRXdNekF4TURNeU5qQXdXakJ4TVFzd0NRWURWUVFHRXdKQlZURVJNQThHQTFVRUNCTUkKVm1samRHOXlhV0V4RWpBUUJnTlZCQWNUQ1UxbGJHSnZkWEp1WlRFVE1CRUdBMVVFQ2hNS1MzVmlaWEp1WlhSbApjekVPTUF3R0ExVUVDeE1GVm1GMWJIUXhGakFVQmdOVkJBTVREWFpoZFd4MExXVjRZVzF3YkdVd2dnRWlNQTBHCkNTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEQ0VNaERwQ3RjZG9uVS9GT1BGdjIxb0xiejVMSU4KS1ppanNZM1EvWHVWZG8vY1pFSW9uazd5SFZJdTA1NU9xWTJDQnJiM2dwVHpDWVoxZFozb3lsRVdtV1hFakR5UQoyZEFPTFM2SEdoTUZLZ3FvYWlKV3pPb1JPeVhYakVXanBzTGQxWVdnVFRlY0FxMDN0R3lBVjY1WVg5dUpFY3hxCnpSMEFBVDdPZWh4aFNzSUMzeFFyczRNbURSbjdnSVNwTHErcU5RZmc3VEtMOEtleUNBNWFkMVZOWnJ3cktZZ1AKZlNwRUt6ZGhVSGZMaFlEa3M4L0NZUTFLZEJjMnc3THVSMnJDTm9ISmF5ajcwUnVpeUNubGErWU5MeHd4REhGNgpxbEFEUXh6SmZFNWtRRmljVS9HblpLV2dyNVoyNWhpYUdkZjQ2SDk1RE9lMzVzUi8rL21IcFlKbEFnTUJBQUdqCmdmc3dnZmd3RGdZRFZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUYKQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTUIwR0ExVWREZ1FXQkJROGk3VnFrWXRxclVYckp5c3dKL3NSc2dTYwpMREFmQmdOVkhTTUVHREFXZ0JRMVhlQVFUcG9xS25CbjNPQk5VQ1NVc0tYNk56QjVCZ05WSFJFRWNqQndnZzEyCllYVnNkQzFsZUdGdGNHeGxnaTEyWVhWc2RDMWxlR0Z0Y0d4bExuWmhkV3gwTFdWNFlXMXdiR1V1YzNaakxtTnMKZFhOMFpYSXViRzlqWVd5Q0gzWmhkV3gwTFdWNFlXMXdiR1V1ZG1GMWJIUXRaWGhoYlhCc1pTNXpkbU9DQ1d4dgpZMkZzYUc5emRJY0Vmd0FBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUNLUlJHYmw5OUxuYnFBbHlRRzd5CjNFcE1COXdmRUdtOG1hMzZwc05nODhPY1Q1K2hpWnRJR3hQT0w1dEJVRURWYWFjREtpaUg0WG1hdGN2THhHVmgKSW5NYXNIbHB2RlBoUTRONDdqdjBRMk1tL2x4ZzBuOGZTNjYwMU5LNkEycmxBNXl6blZBNGlxeVV5dzZ1K2NmVwpOL3gwWUtINTRLTlA5WEZhQy9aQStoWWNFSG5ZRGZHa01vYXZHVnE1ZnB5T2Zqd2dLT1llVDhTZkJ0VG9zRUNqCkFjR3FmVHp1VGlpSkozaFlNMVViMGVUdzVSU21Gc0tGNm5icG5RYnYzQm1iNjR1WStVbzZaYUM2RXh0SmsxcWYKcjVpbmxjTDA0Sk1UYVhVQ3lMSW5mdjZMZXVXTllldmpmN1dyblJiZ2xuUGJYVDEvazREVDJlWkRiaWFTVHNHcApGUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
-  vault-example-key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBeFpjS2N5NldRVWE0Mk9FYytDNHEvN3BvcFR3REpyZ2xHazFlamVPUm9rV0dDNXpXCnVvWFZKcUJZdTk3TEEyV3prL01hdTh0azNrZThsVTFnRFJCNGJSR3gxekdzZnE4WVIyR25lKzNJbDRydjFPMnMKazJ6ZkFIaEMvaXJCTjBxci9jemZnUFFBMWtlbnJERWgvMncrdWJURnc2VFVxc0xmMTB2RVMvbTFySmF0M0Izegpyb3NsL09FNlVmamVuS1VIQnVWV3UrOE92WnFKYnlwb055NTNreWQ2dDB2MGNrY1ZmVkxWYkpqQ3dxZThPYWxqClVQaEtWa0tDemdXbURDUzVoUWwwdW11SjV1WHNNSDRrSmZmMnNBazFGS1dFOGtESWZJSGplK3F2OFMyVEo3bm0KdUFzWGRBTHdQVy9qQ1hKOTN4dWpMTHU3TkpUcXpYcUpJRVlCSXdJREFRQUJBb0lCQUYxNW92dnlvaXFuWm5OVApxL3pNK3BLWWdVRUtMd04yUWpjN091d3RLSXg0RDM0VzZJNjlHYVY0WGdJaTJDLzNRUWxSRE9paXhFbFQ3cWREClA1bHVuVW9jQU9JcEljMmMwQU9VODBMeHJ0L2lYcXVBOVErWmhiWVhMcnBIUjdqOG5ua25IdVZHaWM3VmYwRTYKelRhazR0ZS82WDh3ejFzcGJmUFFhRUQ1RlRWY0RUaUp5QlRDTHpTWXE1alZKTjdRejlQdzRXR1B5WERTNzF6YwpKNHFndDVSTkxGc2tiMnQ2dzJDQjFlOEhSUHhMU0ZycU1SL3hrbWJQM2NnSXl3MEpLVUlFTUR1WWhZY0RhZCtTCkV4TDg2UUVKSUw5VU5FZnY3K1VDMzFURGdzd3loUmZ1N1hIb1BtS0tFSTNXcHZ5aGtINXRJOUEzV0ZwUWZTcmIKTmt4S3YrRUNnWUVBeVpVdGxuT3VlZFVXU1RaMGVaaEJIekI0WWhOOVlhck55TWNvenJNb3dITFdJZWVQdHo4NQpuKzJvRjN1bEh0QmFqKzI1MzU0ZFJrU0hLQkhsRTRmMFlYVGVWTTdqZDFONzVLZWpzQzdNN2JnVHFoMFlJOFdKCmlWaVBONHpKTGNGZEtFcVd4bDRuMEV0TEZzL0lDdWliblBTUm9QUmV5c29nWkpPSWFwVzFpUDhDZ1lFQSt1M3YKekM3YXFIZGtLRGdEb3kwWmtoK3RCT001WjVQV1M4NE8rUUo4QU42TmhMeHd2N29Oa1ZnQk9OMUIwVXdySGFXbQowY3JQeEZybk5mRkg4d0pTTGNMV2hYdWdYelJpaGxaakVXYTBLdGJZOVhxQUd3V2tVcTltL2s4V04zSmpQODdlCmN5VTZMQllOdXNkM0h3TWtoS0xTWXpaU2YyRmRrdnNHT1V4TVE5MENnWUVBcU5QdjRsbndmc2tnYVNEYVhCeFEKTGpjQ0crSUcySTJjMjlNeE1peUtyT09BdzlTVVlQenEzaTdFNFNZRkhOR1RoNGVxYk1hWDdnbm15SUIwUXU5UwpsV3l6NklOOXJxcVUwT1EyQzVDbXdWR3g1bitIZ0M0cENvYkpLOVVWaU9TeGlOVXZnZVBKcElIcTJhZ2Ira2JtClRZWG5rYzRZdGU2alFwanRYNWNTK3pFQ2dZQStWa2ZoU0s2SGRZbUxPRWNuRFhneHhlNjhyUnBBc2dobHNwNGoKbkV0a0IrWE9XT1lGcTFuZGhxaGZFUkJkeDNkYW1TRjFNdFlrcUpTUjRRd0h3Y2JhbVhHam5ZKzh0dzNXNDdVZQp5STN2cW9vaGlib3pmRlpUT0VIMDRYN2FiVzljbGE3TG1pNzJidEFnVzVjclBDT2hVN1hDY2VkU3Y4UjRWQ1k2CnE4cXlmUUtCZ1FDbkt5TEpjZXhZMnpPL0lBZUtmclNLaVNoNHJsaEFhNFJHRHQwUlJGQ3Rhck80dzRNalcvNkEKMHNscUoyazRZT3gzaU1DT3J1RklGcVR5RzFoUDEzSFlhT0N0S3lLYjh5YXZWeklYUzVEZXE4cVpiZlJsUWJPdQoyeUNKS010SVVhT0E5OGd3a3pLSVlsNkNZWXRNQy9HeVg1c0QxWDMyeURmZVo0SUVkVWx4Qnc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
+  vault-example-key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd2hESVE2UXJYSGFKMVB4VGp4Yjl0YUMyOCtTeURTbVlvN0dOMFAxN2xYYVAzR1JDCktKNU84aDFTTHRPZVRxbU5nZ2EyOTRLVTh3bUdkWFdkNk1wUkZwbGx4SXc4a05uUURpMHVoeG9UQlNvS3FHb2kKVnN6cUVUc2wxNHhGbzZiQzNkV0ZvRTAzbkFLdE43UnNnRmV1V0YvYmlSSE1hczBkQUFFK3pub2NZVXJDQXQ4VQpLN09ESmcwWis0Q0VxUzZ2cWpVSDRPMHlpL0Nuc2dnT1duZFZUV2E4S3ltSUQzMHFSQ3MzWVZCM3k0V0E1TFBQCndtRU5TblFYTnNPeTdrZHF3amFCeVdzbys5RWJvc2dwNVd2bURTOGNNUXh4ZXFwUUEwTWN5WHhPWkVCWW5GUHgKcDJTbG9LK1dkdVlZbWhuWCtPaC9lUXpudCtiRWYvdjVoNldDWlFJREFRQUJBb0lCQUh1UGNlTFhZU0JTL1BrVgoyeUhzOG9hMUdDZDdnZjR0Y05rd2tHbnpLcitFS0o2Yld5QS9nMlpXVXVBcnJzekkyYWRqSFJYRUY1QVNqWUMxCjdWK3RpU21KYTZsVDNMQWhibjNJT0txZWFHUE9XOURWR3A0SGhEU0tZMUsxSmhYSGRLVUhjVGdhVWdETUYzdXoKTGE0ZHBZenhJM2RIVk03Zlg4cUVBSGc0ZVY5YnZQdTN4M0NQNm9yV1l0bzZzbUhEcjN2ZkZPM0RMQnIwVHRzRwpVVS9mbjcrU1U3Y2FmQTRJemc0TTlKdXl2aHZzZm91SENCajVXczJvWWxOY2FoV2pxY0tGZnA0WUoya0hkK2dlClR4VlVIejBKTDIrY0pQdThLQ0IxdllKanlwRnhvRlRUZC81cXptK3ZsK2pRNUprY2Nxd3luaXJXYVVKRm5XU3kKank3dnlyVUNnWUVBMmkxRzhHM050YkJHZHFNeVJjQmdGUHZrNXVqTUlGT1hJNHNIVkZ1TEluYzF1MGZZNkR3dQpObEJzNmFCU0ZYOSsybk1seVFDMzlzelVyWlRQakRmRkZvcGczR2FpQ0hvY09yYUVFUWhPSDBWaVpUNGJjMWE0ClNuV3F6aWRhdmkzN3FMZjB2aXladCtsYmg2NllPUWxBSHFPSW4wUlhoUzk1TjBsTzlXYkhCUjhDZ1lFQTQ3VngKRFVSS2xWL1V3REJBa3F6cVpxSWdESklwdGRGL2Yvam9uUXlVYnBLM2llYWUyN3pmaHNLZEFTRGZBcHA5aTd5KwpST1NWdnNWUGRidU9vWGJKQWxzcVJlSVBYdmVYODdGWlluNVZhWkdVdjBteHlwQXZ0NTcrdFdWT1E1aGZydGNYCk1DMyttWFFUTkxhZUxGMThySW11UktENlBxNW1JVk5kS3hibjQvc0NnWUVBeFpFT2xoVzRtL2grTmx4ZDM4L3UKc2RIUVhGRWUxMzhhYy9NbnRmb1hxaVF0SWVSVHhTa0o1K0U0WHU3d3Bjc0lRaVRYYUljZ0QzczRjOTgzZW8vZQpCeVZUeFFHalpPMit0bVFrZjQvM3ZsV0VYbzI1S2Q2emo2bXgvSENpdVdqR1pPZi8xbDVvN0tPQ1lRRjNrdDZQCms2OGV2cXFTWG1hNDY1bVV5S0JEUkowQ2dZRUF3Y2llcmppbzlGZzZ1VmdYQy93bCt6UUw3RWJUUWsxSW9VTFYKeXhseWxHczkwUmkzcHE4azF3MTJDZ2pNWU8zUzNBSEROdVFGWC9XUXV0UGovUnNXMDI5OEdUN1o3K3Jyb05NVQpDNU1SNHlhbW5PZjlhektydVN1US9oUjV0MkxNUXdIL1ZOdy9xSjQwM2c1dnE3ZmZxd0g4a2FFaGRnaDdGKzlYCkFaMmJ1Tk1DZ1lBZWJEaTMrQ3VmQzFOOGlwWUdVS1hSOFRSaFJPdDlmTzdGYjJRM25NdE1UZUx2YzJxNXlaY3oKdThIVUZCbk56Mmx6WDV3N2VwOUtSNzhvRFhRaVZGTnBYY1JwYm9ONS9YZHNFbUlXemNlN0V4ZFI4TGE4TS9YcQpKazkwdis0T2ovd013enlBZm9ZT0NHZ3Y0ZWdCNmZ0MXRwMVBjUG1QcTZCcnF3am1wNERYYmc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
-  ca.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURtRENDQW9DZ0F3SUJBZ0lVUnY5bXF2Q3U3akI5ejByN0JoR2JRWWlWZndJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1VqRUxNQWtHQTFVRUJoTUNRVlV4RURBT0JnTlZCQWdUQjBWNFlXMXdiR1V4RWpBUUJnTlZCQWNUQ1UxbApiR0p2ZFhKdVpURVFNQTRHQTFVRUNoTUhSWGhoYlhCc1pURUxNQWtHQTFVRUN4TUNRMEV3SGhjTk1qQXdNakkyCk1EUXhPREF3V2hjTk1qVXdNakkwTURReE9EQXdXakJTTVFzd0NRWURWUVFHRXdKQlZURVFNQTRHQTFVRUNCTUgKUlhoaGJYQnNaVEVTTUJBR0ExVUVCeE1KVFdWc1ltOTFjbTVsTVJBd0RnWURWUVFLRXdkRmVHRnRjR3hsTVFzdwpDUVlEVlFRTEV3SkRRVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNdXhDM2RMCmlPcE4zYVI1bE9XQmFkV1lONXFkdndzUmU5ekFTNmhQbkJIVUVnUXcveG82MkV2bDRvY2pnYkRPSXMra1YrVGkKYWZkeGhublRJSUdNMDJUaFp1cUpRSFhjN2hsWDRLcjdsaG4yVzdadTM1eWRSZW9jRGZnb1Z6cTM3aytydXd0OAptVFIyTFNQcUhJZmU2Lzd4czRud242MGs3b20xdlNRTzN4TGVOZm9xSWJENk01ZGNkdXNTT01NSjZLU2gxNmF1CjJHZkNrdUgzdEZuMWtBdE1RWDZPc3VJbnpuNTFzdjRRbW52WnowTUZoanVUSHpTR2pZYnB3KzFGcksveGNnRmcKU1M1eGtkYU55SjNpaG4rWjBYWkxYUHMvZEdiSWNKMnVibDk4OCthUWp6Z2JvZ09rMFRBQnlyWnZPYnBMWWNjWQpuR1AxaW1Bdm5uTlRmK2tDQXdFQUFhTm1NR1F3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJCk1BWUJBZjhDQVFJd0hRWURWUjBPQkJZRUZLbUpwVnhDZzhuYWZPY1ZmYURvdlRGOWwzSE9NQjhHQTFVZEl3UVkKTUJhQUZLbUpwVnhDZzhuYWZPY1ZmYURvdlRGOWwzSE9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNRU2hCNgpNV0hXTTNTSmNNNkFEWGFRK3Y0SkltUWJ0Ym4xRUlpMkFKVUNIa0tORlhSaHNiYml5OFVhVldmUnZCRnFyMGFzCnA3TlpNUnB5cytRaUYzWTZDSzVFVmZSMUc2YUF6Q25QN1FkTWZzOWFraU9ydlZFaURGYlp0TDhHL3dyV0hTTGwKRWhrajZUR3JsR2FwM2tyZDFGQ1VKTE9BREpNS2VXK3FqYVdjbFRwM01hZ1Q1NStBcEkxeStqdEE4bmdRMGlzcgpBMWNVSVlGbUR6clZudmFxSkVMdlJIak1nTkR3R1lGQUh1dFdrclUybW1wNUMxN29LU1o2dnZ2M05GL3RDTFZYClFjZEt3TUtKbkc3bkYwTmdzTUdDckVXdG1FRHhNb3dJYzdTZXRieWN1aklqdHVVZTNyZktxNkdUUE5aVk1za2sKZ29rVnQvQVFmSWhJL05UMQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+  ca.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURtRENDQW9DZ0F3SUJBZ0lVZnFKeTY5QXlnY1l5MGgvbC9XdTRkeVU4MlRFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1VqRUxNQWtHQTFVRUJoTUNRVlV4RURBT0JnTlZCQWdUQjBWNFlXMXdiR1V4RWpBUUJnTlZCQWNUQ1UxbApiR0p2ZFhKdVpURVFNQTRHQTFVRUNoTUhSWGhoYlhCc1pURUxNQWtHQTFVRUN4TUNRMEV3SGhjTk1qQXdNekF4Ck1ETXlOVEF3V2hjTk1qVXdNakk0TURNeU5UQXdXakJTTVFzd0NRWURWUVFHRXdKQlZURVFNQTRHQTFVRUNCTUgKUlhoaGJYQnNaVEVTTUJBR0ExVUVCeE1KVFdWc1ltOTFjbTVsTVJBd0RnWURWUVFLRXdkRmVHRnRjR3hsTVFzdwpDUVlEVlFRTEV3SkRRVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNelVkWGlOCjRiN3dDK3JrRlFkTFlsclpleWttNkQrYk16T3B2N0JnZUkrdnIrVy9GZE9HR1ZkMnQwbWpDMVhvcWgrSCtERU0Kc3Z0bFpLOW9DT080RnlleUZuSXhqcktDNXp0REJJSlNJYzhYR2NjUTVFY1VXdDRiMnVOVXVKM1dMVFlYcFpFeApqVnd3YzY4aHJ6cC82TDVuMUJxVERxaWxCYk5JUi91OUdmeU40bWpXQlRUbzArTFhkakpkZ3BvOWxmWC83aEFhCnRxT0FIcFJqRWhJM0RreEZyREdSVlJsQ1ZBZlo2MWt5bFRWLzJNMW5CalJWU2RTbDlJK0lWeU4xbXpMM3AzTGwKQ3lwYWxpbGtTWS9LaTNsSFRpNnZGeEJ6c042c3N5SktmeDdpMVJmNDk2MjlKQWZNNXFad0x4enp5OFFNeEw0ZQpMN1VyYmdNMWgwRUhCa0VDQXdFQUFhTm1NR1F3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJCk1BWUJBZjhDQVFJd0hRWURWUjBPQkJZRUZEVmQ0QkJPbWlvcWNHZmM0RTFRSkpTd3BmbzNNQjhHQTFVZEl3UVkKTUJhQUZEVmQ0QkJPbWlvcWNHZmM0RTFRSkpTd3BmbzNNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFnMkZBWApnTUF4UXlndzVrcGkrSFpNWDg5K0QxQ1ptVHhGUXBhUk5vSzdOR1NTVGZLS1Z0Vjdaa1IxVVhJWVJhZTF0R2o2Cm1YeHRpOS9xd281ZlpBckNEaloyVVVNV29EVHFTNHY3ZGVaVmxiRmlVWnl2VXRPb0hjTEhhWitLdmlkVG0yL3UKMDJ0TjhscGtEMDFzeXU5akIyK2wrT01CMUtlRGpXNS8wcDk0ay8xMUd5U2dJRDF1RVVyaFUrai9CMFp1L09GegpXNE00akcrRWlsK1puMHpzcm1wVStmQk1RK20wQzFXZ05mU3NKU0FCYlZxSEVMQ05USUYzVG91V3lNdEE1YUZxCnJ1SFQwNUxxUzl6QVVKNTZ0Q2dqbGdHMDUrUG9FQjFSZUtvV1JURnBNQ0JSL0RxWjk4SnprRDNLYTJyVkMwOXgKUCs1TTNobzl0Q3J4SW42bQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==

hashicorp/vault/tls/ssl_generate_self_signed.txt

@@ -15,7 +15,7 @@ cfssl gencert \
   -ca=ca.pem \
   -ca-key=ca-key.pem \
   -config=ca-config.json \
-  -hostname="vault-example,vault-example.vault-example.svc.cluster.local,localhost,127.0.0.1" \
+  -hostname="vault-example,vault-example.vault-example.svc.cluster.local,vault-example.vault-example.svc,localhost,127.0.0.1" \
   -profile=default \
   vault-csr.json | cfssljson -bare vault-example