f125a8b892
This change addresses a long-standing issue in rST documentation imported from XML.
That import process added backslash escapes in front of various characters. The three
most common being '(', ')', and '_'.
These instances are removed.
Signed-off-by: Ron Stone <ronald.stone@windriver.com>
Change-Id: Id43a9337ffcd505ccbdf072d7b29afdb5d2c997e
135 lines
5.5 KiB
ReStructuredText
135 lines
5.5 KiB
ReStructuredText
.. _vault-server-certificate-8573125eeea6:
|
|
|
|
========================
|
|
Vault Server Certificate
|
|
========================
|
|
|
|
|prod| integrates open source Vault containerized security application
|
|
\(Optional) into the |prod| solution.
|
|
|
|
Vault is a containerized secrets management application that provides encrypted
|
|
storage with policy-based access control and supports multiple secrets storage
|
|
engines and auth methods.
|
|
|
|
Refer to :ref:`Vault Secret and Data Management
|
|
<vault-secret-and-data-management-security-index>` for details about Vault
|
|
installation and configuration.
|
|
|
|
Accessing Vault is secured by HTTPS. Vault server certificate and the Root |CA|
|
|
certificate from which the server certificate is generated are stored in
|
|
Kubernetes secrets in Vault namespace.
|
|
|
|
- Vault-ca: the Vault Root |CA| certificate
|
|
|
|
- Vault-server-tls: the Vault server certificate
|
|
|
|
The client that accesses Vault server verifies Vault server certificate with
|
|
vault-ca Root |CA| certificate. So the client needs to be configured to trust
|
|
vault-ca Root |CA| certificate.
|
|
|
|
In section :ref:`Configure Vault Using the Vault REST API <configure-vault>`,
|
|
there are examples using curl to access Vault services.
|
|
|
|
--------------------------------
|
|
Install Vault server certificate
|
|
--------------------------------
|
|
|
|
By default, the Root |CA| certificate and key are automatically created and the
|
|
Vault server certificate is generated from the Root |CA| certificate during the
|
|
Vault app application.
|
|
|
|
The Root |CA| certificate has 10 years validity while the server certificate
|
|
has 3 month validity.
|
|
|
|
-------------------------------
|
|
Update/Renew Vault certificates
|
|
-------------------------------
|
|
|
|
.. warning::
|
|
|
|
Vault certificates are not auto renewed. They have to be updated manually
|
|
by updating the secrets from the new certificate files.
|
|
|
|
Refer to :ref:`Create Certificates Locally using openssl
|
|
<create-certificates-locally-using-openssl>` on how to generate certificate
|
|
using openssl in general.
|
|
|
|
.. rubric:: |proc|
|
|
|
|
The following procedure is an example of the steps to generate new Vault server
|
|
certificate from the existing Root |CA| certificate using openssl and update
|
|
corresponding secret for Vault to use the new certificate.
|
|
|
|
The existing Root |CA| has 10 years validity so the example below is to renew
|
|
the Vault server certificate from it.
|
|
|
|
#. Retrieve Vault Root |CA| certificate and private key from secret to files:
|
|
|
|
.. code-block:: none
|
|
|
|
~(keystone_admin)]$ mkdir /home/sysadmin/vault_ca_cert
|
|
~(keystone_admin)]$ echo $(kubectl get secrets -n vault vault-ca -o jsonpath='{.data.tls\.crt}') | base64 --decode > /home/sysadmin/vault_ca_cert/vault_ca_cert.pem
|
|
~(keystone_admin)]$ echo $(kubectl get secrets -n vault vault-ca -o jsonpath='{.data.tls\.key}') | base64 --decode > /home/sysadmin/vault_ca_cert/vault_ca_key.pem
|
|
|
|
#. Create and sign a server certificate and key:
|
|
|
|
- Create the Server private key.
|
|
|
|
.. code-block::
|
|
|
|
~(keystone_admin)]$ mkdir /home/sysadmin/vault_new_certs
|
|
~(keystone_admin)]$ openssl genrsa -out /home/sysadmin/vault_new_certs/vault-server-tls-key.pem 2048
|
|
|
|
- Create the server certificate signing request (csr).
|
|
|
|
Create a csr configuration file
|
|
``/home/sysadmin/vault_new_certs/extfile.cnf`` with the following content:
|
|
|
|
.. code-block::
|
|
|
|
[req]
|
|
prompt = no
|
|
x509_extensions = v3_req
|
|
distinguished_name = dn
|
|
[dn]
|
|
O = stx
|
|
[v3_req]
|
|
basicConstraints = critical, CA:FALSE
|
|
extendedKeyUsage = TLS Web Server Authentication, TLS Web Client Authentication
|
|
subjectAltName = @alt_names
|
|
[alt_names]
|
|
DNS.1 = sva-vault
|
|
DNS.2 = *.sva-vault-internal
|
|
DNS.3 = *.vault.pod.cluster.local
|
|
DNS.4 = sva-vault.vault
|
|
DNS.5 = sva-vault.vault.svc
|
|
DNS.6 = sva-vault.vault.svc.cluster.local
|
|
DNS.7 = sva-vault-active.vault.svc.cluster.local
|
|
IP.1 = 127.0.0.1
|
|
|
|
~(keystone_admin)]$ openssl req -new -key /home/sysadmin/vault_new_certs/vault-server-tls-key.pem -out /home/sysadmin/vault_new_certs/vault-server-tls.csr -config /home/sysadmin/vault_new_certs/extfile.cnf
|
|
|
|
- Use the Root |CA| to sign the server certificate:
|
|
|
|
.. code-block::
|
|
|
|
~(keystone_admin)]$ openssl x509 -req -in /home/sysadmin/vault_new_certs/vault-server-tls.csr -CA /home/sysadmin/vault_ca_cert/vault_ca_cert.pem -CAkey /home/sysadmin/vault_ca_cert/vault_ca_key.pem -CAcreateserial -out /home/sysadmin/vault_new_certs/vault-server-tls-cert.pem -days 365 -extensions v3_req -extfile /home/sysadmin/vault_new_certs/extfile.cnf
|
|
|
|
#. Update vault-server-tls secret with the new vault server certificate:
|
|
|
|
.. code-block::
|
|
|
|
~(keystone_admin)]$ kubectl create secret tls vault-server-tls --cert=/home/sysadmin/vault_new_certs/vault-server-tls-cert.pem --key=/home/sysadmin/vault_new_certs/vault-server-tls-key.pem --save-config --dry-run=client -n vault -o yaml | kubectl apply -f -
|
|
|
|
#. Restart vault-manager, agent-injector and vault servers to use the new server certificate:
|
|
|
|
.. code-block::
|
|
|
|
~(keystone_admin)]$ kubectl rollout restart statefulset sva-vault-manager -n vault
|
|
~(keystone_admin)]$ kubectl rollout restart deployment sva-vault-agent-injector -n vault
|
|
|
|
~(keystone_admin)]$ kubectl delete pod sva-vault-0 -n vault
|
|
~(keystone_admin)]$ kubectl delete pod sva-vault-1 -n vault
|
|
~(keystone_admin)]$ kubectl delete pod sva-vault-2 -n vault
|
|
|