example TLS enable

hashicorp/vault/server/server-config-configmap.yaml

@@ -9,8 +9,10 @@ data:
     disable_mlock = true
     ui = true
     listener "tcp" {
-      tls_disable = 1
+      address = "0.0.0.0:8200"
-      address = "[::]:8200"
+      tls_cert_file = "/vault/ssl/vault-example.pem"
+      tls_key_file = "/vault/ssl/vault-example-key.pem"
+      tls_min_version = "tls12"
       cluster_address = "[::]:8201"
     }
     storage "file" {

hashicorp/vault/server/server-statefulset.yaml

@@ -40,6 +40,9 @@ spec:
         - name: data
           persistentVolumeClaim:
             claimName: vault-claim
+        - name: tls-secret
+          secret:
+            secretName: vault-example-tls-secret
       initContainers:
         - name: setupperms
           image: alpine:latest
@@ -75,14 +78,18 @@ spec:
                 fieldRef:
                   fieldPath: status.podIP
             - name: VAULT_ADDR
-              value: "http://127.0.0.1:8200"
+              value: "https://127.0.0.1:8200"
             - name: VAULT_API_ADDR
-              value: "http://$(POD_IP):8200"
+              value: "https://$(POD_IP):8200"
             - name: SKIP_CHOWN
               value: "true"
             - name: SKIP_SETCAP
               value: "true"
+            - name: VAULT_CACERT
+              value: "/vault/ssl/ca.pem"
           volumeMounts:
+          - name: tls-secret
+            mountPath: /vault/ssl
           - name: config
             mountPath: /vault/config
           - name: data
@@ -95,23 +102,15 @@ spec:
             - containerPort: 8202
               name: replication
           readinessProbe:
-            # Check status; unsealed vault servers return 0
+            httpGet:
-            # The exit code reflects the seal status:
+              path: "/v1/sys/health?standbyok=true"
-            #   0 - unsealed
+              port: 8200
-            #   1 - error
+              scheme: HTTPS
-            #   2 - sealed
-            exec:
-              command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
-            failureThreshold: 2
-            initialDelaySeconds: 5
-            periodSeconds: 3
-            successThreshold: 1
-            timeoutSeconds: 5
           livenessProbe:
             httpGet:
               path: "/v1/sys/health?standbyok=true"
               port: 8200
-              scheme: HTTP
+              scheme: HTTPS
             initialDelaySeconds: 60
             periodSeconds: 3
             successThreshold: 1

hashicorp/vault/server/server-tls-secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vault-example-tls-secret
+type: Opaque
+data:
+  vault-example.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLVENDQXhHZ0F3SUJBZ0lVUDFOZWNYQ3RMM3cvQVJsREdkWmJvV292Vm5jd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1VqRUxNQWtHQTFVRUJoTUNRVlV4RURBT0JnTlZCQWdUQjBWNFlXMXdiR1V4RWpBUUJnTlZCQWNUQ1UxbApiR0p2ZFhKdVpURVFNQTRHQTFVRUNoTUhSWGhoYlhCc1pURUxNQWtHQTFVRUN4TUNRMEV3SGhjTk1qQXdNakkyCk1EUXlNREF3V2hjTk1qRXdNakkxTURReU1EQXdXakJ1TVFzd0NRWURWUVFHRXdKVlV6RVBNQTBHQTFVRUNCTUcKVDNKbFoyOXVNUkV3RHdZRFZRUUhFd2hRYjNKMGJHRnVaREVUTUJFR0ExVUVDaE1LUzNWaVpYSnVaWFJsY3pFTwpNQXdHQTFVRUN4TUZWbUYxYkhReEZqQVVCZ05WQkFNVERYWmhkV3gwTFdWNFlXMXdiR1V3Z2dFaU1BMEdDU3FHClNJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURGbHdwekxwWkJScmpZNFJ6NExpci91bWlsUEFNbXVDVWEKVFY2TjQ1R2lSWVlMbk5hNmhkVW1vRmk3M3NzRFpiT1Q4eHE3eTJUZVI3eVZUV0FORUhodEViSFhNYXgrcnhoSApZYWQ3N2NpWGl1L1U3YXlUYk44QWVFTCtLc0UzU3F2OXpOK0E5QURXUjZlc01TSC9iRDY1dE1YRHBOU3F3dC9YClM4UkwrYldzbHEzY0hmT3VpeVg4NFRwUitONmNwUWNHNVZhNzd3Njltb2x2S21nM0xuZVRKM3EzUy9SeVJ4VjkKVXRWc21NTENwN3c1cVdOUStFcFdRb0xPQmFZTUpMbUZDWFM2YTRubTVld3dmaVFsOS9hd0NUVVVwWVR5UU1oOApnZU43NnEveExaTW51ZWE0Q3hkMEF2QTliK01KY24zZkc2TXN1N3MwbE9yTmVva2dSZ0VqQWdNQkFBR2pnZG93CmdkY3dEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0QKQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFVZERnUVdCQlNwaHV5VW5Ic0VYT0RkcXphNEhkU2kxZVlBZERBZgpCZ05WSFNNRUdEQVdnQlNwaWFWY1FvUEoybnpuRlgyZzZMMHhmWmR4empCWUJnTlZIUkVFVVRCUGdnMTJZWFZzCmRDMWxlR0Z0Y0d4bGdpMTJZWFZzZEMxbGVHRnRjR3hsTG5aaGRXeDBMV1Y0WVcxd2JHVXVjM1pqTG1Oc2RYTjAKWlhJdWJHOWpZV3lDQ1d4dlkyRnNhRzl6ZEljRWZ3QUFBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBa0VuTAozUnA0b1FNZGN3K0t3QnVONWo3MXBHTjZySXVwZGlTdlkraThJRzhqcVRiR1JqdEQyeFBuWUlja1pRakhTN2VvCnIrYWx5eC82S21oYm0wNzBROFdpdUgxZ2NuNVhqa1FJVW1qdDZLZ0F1QjBsdkdxUFlvZmV6TXVFdkoxTXEzUG0KMTcxa29oYktUME1sRFpzYXBGaHhtdnFIMDY0VHNjdTVrSVVVVGFINW1ZZkZhS0dNR0cvUGJLMWpCQkNwdTl5OApMZUVVeEMvbTFKbjh1M1hVZmRVMm0zaHZ1NnNmMVdrc0c2Sy9NQjI1ckxxZW1ZTjk3OWJQcGt5cnlBRkc4Um1WCkZ1VGl6cVc4UFA5aXNhNDdDUlpQelQ2YldDSndsc1MwT1JaWDcyRGRjODc0YzdXVDF1anFURWh0VWk4NEVlK0sKeElva25Gd1Z5Zno0YWwyWFlBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  vault-example-key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBeFpjS2N5NldRVWE0Mk9FYytDNHEvN3BvcFR3REpyZ2xHazFlamVPUm9rV0dDNXpXCnVvWFZKcUJZdTk3TEEyV3prL01hdTh0azNrZThsVTFnRFJCNGJSR3gxekdzZnE4WVIyR25lKzNJbDRydjFPMnMKazJ6ZkFIaEMvaXJCTjBxci9jemZnUFFBMWtlbnJERWgvMncrdWJURnc2VFVxc0xmMTB2RVMvbTFySmF0M0Izegpyb3NsL09FNlVmamVuS1VIQnVWV3UrOE92WnFKYnlwb055NTNreWQ2dDB2MGNrY1ZmVkxWYkpqQ3dxZThPYWxqClVQaEtWa0tDemdXbURDUzVoUWwwdW11SjV1WHNNSDRrSmZmMnNBazFGS1dFOGtESWZJSGplK3F2OFMyVEo3bm0KdUFzWGRBTHdQVy9qQ1hKOTN4dWpMTHU3TkpUcXpYcUpJRVlCSXdJREFRQUJBb0lCQUYxNW92dnlvaXFuWm5OVApxL3pNK3BLWWdVRUtMd04yUWpjN091d3RLSXg0RDM0VzZJNjlHYVY0WGdJaTJDLzNRUWxSRE9paXhFbFQ3cWREClA1bHVuVW9jQU9JcEljMmMwQU9VODBMeHJ0L2lYcXVBOVErWmhiWVhMcnBIUjdqOG5ua25IdVZHaWM3VmYwRTYKelRhazR0ZS82WDh3ejFzcGJmUFFhRUQ1RlRWY0RUaUp5QlRDTHpTWXE1alZKTjdRejlQdzRXR1B5WERTNzF6YwpKNHFndDVSTkxGc2tiMnQ2dzJDQjFlOEhSUHhMU0ZycU1SL3hrbWJQM2NnSXl3MEpLVUlFTUR1WWhZY0RhZCtTCkV4TDg2UUVKSUw5VU5FZnY3K1VDMzFURGdzd3loUmZ1N1hIb1BtS0tFSTNXcHZ5aGtINXRJOUEzV0ZwUWZTcmIKTmt4S3YrRUNnWUVBeVpVdGxuT3VlZFVXU1RaMGVaaEJIekI0WWhOOVlhck55TWNvenJNb3dITFdJZWVQdHo4NQpuKzJvRjN1bEh0QmFqKzI1MzU0ZFJrU0hLQkhsRTRmMFlYVGVWTTdqZDFONzVLZWpzQzdNN2JnVHFoMFlJOFdKCmlWaVBONHpKTGNGZEtFcVd4bDRuMEV0TEZzL0lDdWliblBTUm9QUmV5c29nWkpPSWFwVzFpUDhDZ1lFQSt1M3YKekM3YXFIZGtLRGdEb3kwWmtoK3RCT001WjVQV1M4NE8rUUo4QU42TmhMeHd2N29Oa1ZnQk9OMUIwVXdySGFXbQowY3JQeEZybk5mRkg4d0pTTGNMV2hYdWdYelJpaGxaakVXYTBLdGJZOVhxQUd3V2tVcTltL2s4V04zSmpQODdlCmN5VTZMQllOdXNkM0h3TWtoS0xTWXpaU2YyRmRrdnNHT1V4TVE5MENnWUVBcU5QdjRsbndmc2tnYVNEYVhCeFEKTGpjQ0crSUcySTJjMjlNeE1peUtyT09BdzlTVVlQenEzaTdFNFNZRkhOR1RoNGVxYk1hWDdnbm15SUIwUXU5UwpsV3l6NklOOXJxcVUwT1EyQzVDbXdWR3g1bitIZ0M0cENvYkpLOVVWaU9TeGlOVXZnZVBKcElIcTJhZ2Ira2JtClRZWG5rYzRZdGU2alFwanRYNWNTK3pFQ2dZQStWa2ZoU0s2SGRZbUxPRWNuRFhneHhlNjhyUnBBc2dobHNwNGoKbkV0a0IrWE9XT1lGcTFuZGhxaGZFUkJkeDNkYW1TRjFNdFlrcUpTUjRRd0h3Y2JhbVhHam5ZKzh0dzNXNDdVZQp5STN2cW9vaGlib3pmRlpUT0VIMDRYN2FiVzljbGE3TG1pNzJidEFnVzVjclBDT2hVN1hDY2VkU3Y4UjRWQ1k2CnE4cXlmUUtCZ1FDbkt5TEpjZXhZMnpPL0lBZUtmclNLaVNoNHJsaEFhNFJHRHQwUlJGQ3Rhck80dzRNalcvNkEKMHNscUoyazRZT3gzaU1DT3J1RklGcVR5RzFoUDEzSFlhT0N0S3lLYjh5YXZWeklYUzVEZXE4cVpiZlJsUWJPdQoyeUNKS010SVVhT0E5OGd3a3pLSVlsNkNZWXRNQy9HeVg1c0QxWDMyeURmZVo0SUVkVWx4Qnc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
+  ca.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURtRENDQW9DZ0F3SUJBZ0lVUnY5bXF2Q3U3akI5ejByN0JoR2JRWWlWZndJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1VqRUxNQWtHQTFVRUJoTUNRVlV4RURBT0JnTlZCQWdUQjBWNFlXMXdiR1V4RWpBUUJnTlZCQWNUQ1UxbApiR0p2ZFhKdVpURVFNQTRHQTFVRUNoTUhSWGhoYlhCc1pURUxNQWtHQTFVRUN4TUNRMEV3SGhjTk1qQXdNakkyCk1EUXhPREF3V2hjTk1qVXdNakkwTURReE9EQXdXakJTTVFzd0NRWURWUVFHRXdKQlZURVFNQTRHQTFVRUNCTUgKUlhoaGJYQnNaVEVTTUJBR0ExVUVCeE1KVFdWc1ltOTFjbTVsTVJBd0RnWURWUVFLRXdkRmVHRnRjR3hsTVFzdwpDUVlEVlFRTEV3SkRRVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNdXhDM2RMCmlPcE4zYVI1bE9XQmFkV1lONXFkdndzUmU5ekFTNmhQbkJIVUVnUXcveG82MkV2bDRvY2pnYkRPSXMra1YrVGkKYWZkeGhublRJSUdNMDJUaFp1cUpRSFhjN2hsWDRLcjdsaG4yVzdadTM1eWRSZW9jRGZnb1Z6cTM3aytydXd0OAptVFIyTFNQcUhJZmU2Lzd4czRud242MGs3b20xdlNRTzN4TGVOZm9xSWJENk01ZGNkdXNTT01NSjZLU2gxNmF1CjJHZkNrdUgzdEZuMWtBdE1RWDZPc3VJbnpuNTFzdjRRbW52WnowTUZoanVUSHpTR2pZYnB3KzFGcksveGNnRmcKU1M1eGtkYU55SjNpaG4rWjBYWkxYUHMvZEdiSWNKMnVibDk4OCthUWp6Z2JvZ09rMFRBQnlyWnZPYnBMWWNjWQpuR1AxaW1Bdm5uTlRmK2tDQXdFQUFhTm1NR1F3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJCk1BWUJBZjhDQVFJd0hRWURWUjBPQkJZRUZLbUpwVnhDZzhuYWZPY1ZmYURvdlRGOWwzSE9NQjhHQTFVZEl3UVkKTUJhQUZLbUpwVnhDZzhuYWZPY1ZmYURvdlRGOWwzSE9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNRU2hCNgpNV0hXTTNTSmNNNkFEWGFRK3Y0SkltUWJ0Ym4xRUlpMkFKVUNIa0tORlhSaHNiYml5OFVhVldmUnZCRnFyMGFzCnA3TlpNUnB5cytRaUYzWTZDSzVFVmZSMUc2YUF6Q25QN1FkTWZzOWFraU9ydlZFaURGYlp0TDhHL3dyV0hTTGwKRWhrajZUR3JsR2FwM2tyZDFGQ1VKTE9BREpNS2VXK3FqYVdjbFRwM01hZ1Q1NStBcEkxeStqdEE4bmdRMGlzcgpBMWNVSVlGbUR6clZudmFxSkVMdlJIak1nTkR3R1lGQUh1dFdrclUybW1wNUMxN29LU1o2dnZ2M05GL3RDTFZYClFjZEt3TUtKbkc3bkYwTmdzTUdDckVXdG1FRHhNb3dJYzdTZXRieWN1aklqdHVVZTNyZktxNkdUUE5aVk1za2sKZ29rVnQvQVFmSWhJL05UMQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==

hashicorp/vault/server/ssl_generate_self_signed.txt

@@ -0,0 +1,29 @@
+
+
+cd ./hashicorp/vault/tls/
+
+docker run -it --rm -v ${PWD}:/work -w /work debian:buster bash
+apt-get update && apt-get install -y curl &&
+curl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl && \
+curl https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson && \
+chmod +x /usr/local/bin/cfssl && \
+chmod +x /usr/local/bin/cfssljson
+
+#generate certificate
+cfssl gencert -initca ca-csr.json | cfssljson -bare ca
+cfssl gencert \
+  -ca=ca.pem \
+  -ca-key=ca-key.pem \
+  -config=ca-config.json \
+  -hostname="vault-example,vault-example.vault-example.svc.cluster.local,localhost,127.0.0.1" \
+  -profile=default \
+  vault-csr.json | cfssljson -bare vault-example
+
+#get values to make a secret
+cat ca.pem | base64 | tr -d '\n'
+cat vault-example.pem | base64 | tr -d '\n'
+cat vault-example-key.pem | base64 | tr -d '\n'
+
+#TEST
+vault login
+vault kv put cubbyhole/hello foo=world

hashicorp/vault/tls/ca-config.json

@@ -0,0 +1,13 @@
+{
+  "signing": {
+    "default": {
+      "expiry": "8760h"
+    },
+    "profiles": {
+      "default": {
+        "usages": ["signing", "key encipherment", "server auth", "client auth"],
+        "expiry": "8760h"
+      }
+    }
+  }
+}

hashicorp/vault/tls/ca-csr.json

@@ -0,0 +1,18 @@
+{
+  "hosts": [
+    "cluster.local"
+  ],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "AU",
+      "L": "Melbourne",
+      "O": "Example",
+      "OU": "CA",
+      "ST": "Example"
+    }
+  ]
+}

hashicorp/vault/tls/vault-csr.json

@@ -0,0 +1,16 @@
+{
+  "CN": "vault-example",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "AU",
+      "L": "Melbourne",
+      "O": "Kubernetes",
+      "OU": "Vault",
+      "ST": "Victoria"
+    }
+  ]
+}