custom CA for external vault server

[dontreboot]

AGENT_INJECT_VAULT_ADDR allows us to specify an external vault server address; however, I'd like also to add a custom CA to validate the vault server TLS. How do I specify that for vault injector?

[jkaosw]

Discovered this today. This can be done via a Secret in Kubernetes and some annotations. In the namespace you're spawning applications that consume the injector, there should be a Secret with the CA cert in it:

kubectl create secret generic tls-ca --from-file=ca.pem

And then for the annotation:

...
vault.hashicorp.com/tls-secret: "tls-ca"
vault.hashicorp.com/ca-cert: "/vault/tls/ca.pem"
...

How it works is that the annotation vault.hashicorp.com/tls-secret will mount the Kubernetes secret (e.g. tls-ca) to /vault/tls and then you reference it in the vault.hashicorp/ca-cert annotation.

This is hidden away in the documentation under vault.hashicorp.com/tls-secret. Hope that's what you're looking for.

[snordmann]

For me @jkaosw's solution only worked when I provided the complete certificate chain for my vault server. Using just the CA did not work.

So the secret was created with a file with this format:

-----BEGIN CERTIFICATE-----
Vault certificate
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate certificate
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Root certificate
...
-----END CERTIFICATE-----

[tomhjp]

Closed in #507, which adds the complementary AGENT_INJECT_VAULT_CACERT_BYTES.