Merge pull request #105 from utilitywarehouse/as-certm-migaration

use cert-manager instead of custom PKI management
utilitywarehouse · Feb 12, 2025 · d5106fb · d5106fb
2 parents eda32fa + afd8ea7
commit d5106fb
Show file tree

Hide file tree

Showing 10 changed files with 57 additions and 321 deletions.
diff --git a/README.md b/README.md
@@ -86,23 +86,11 @@ systems.
 Vault uses TLS with a self-signed certificate. Clients communicating
 with Vault need to hold the corresponding self-signed CA certificate.
 
-A deployment called [`vault-pki-manager`](base/vault-namespace/vault-pki.yaml)
-performs the following functions:
-
-- Generates/rotates the CA certificate, private key and server certificate every
-  24 hours
-  - This frequent rotation mitigates the risk of the private key being
-    compromised without our knowledge. The threat scenario being that a
-    malicious actor could perpetrate a MITM attack.
-  - There is a sidecar on the Vault server pods called `reloader` which reloads
-    Vault to pick up the new certificates when they change on disk.
-- Ensures the CA certificate is copied into a `ConfigMap` called `vault-tls` in
-  every namespace in the cluster
-  - This allows the CA cert to be mounted into containers which communicate with
-    Vault
-  - The base provides a
-    [`ClusterRole`](https://github.com/utilitywarehouse/vault-manifests/blob/master/base/cluster-wide/rbac.yaml)
-    that allows `vault-pki-manager` to write `ConfigMaps` cluster wide
+In this deployment `cert-manager` is used to generate certificate using self 
+signed issuer. [resources](base/vault-namespace/cert.yaml)
+
+This CA certificate is made available via http endpoint using [vault-ca-cert](base/vault-namespace/ca-server.yaml) deployment. Since cert is rotated every 24h
+clients are expected to fetch new cert before starting communication with vault.
 
 ### Prometheus metrics
 

diff --git a/base/cluster-wide/kustomization.yaml b/base/cluster-wide/kustomization.yaml
diff --git a/base/cluster-wide/rbac.yaml b/base/cluster-wide/rbac.yaml
diff --git a/base/vault-namespace/cert.yaml b/base/vault-namespace/cert.yaml
@@ -0,0 +1,51 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vault-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: vault-selfsigned
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: vault
+spec:
+  secretName: vault-tls
+  issuerRef:
+    kind: Issuer
+    name: vault-selfsigned
+  duration: 25h0m0s
+  renewBefore: 1h0m0s
+  subject:
+    organizations:
+      - uw
+  privateKey:
+    algorithm: Ed25519
+    rotationPolicy: Always
+  usages:
+    - server auth
+    - client auth
+  ipAddresses:
+    - 127.0.0.1 # required by vault initializer
+  dnsNames:
+    - vault
+    - vault-0.vault
+    - vault-0.vault-cluster
+    - vault-0.vault-cluster.sys-vault
+    - vault-0.vault.sys-vault
+    - vault-1.vault
+    - vault-1.vault-cluster
+    - vault-1.vault-cluster.sys-vault
+    - vault-1.vault.sys-vault
+    - vault-2.vault
+    - vault-2.vault-cluster
+    - vault-2.vault-cluster.sys-vault
+    - vault-2.vault.sys-vault
+    - vault-cluster
+    - vault-cluster.sys-vault
+    - vault.sys-vault
diff --git a/base/vault-namespace/kustomization.yaml b/base/vault-namespace/kustomization.yaml
@@ -2,9 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ca-server.yaml
+  - cert.yaml
   - rbac.yaml
   - vault.yaml
-  - vault-pki.yaml
 configMapGenerator:
   - name: statsd-mappings
     files:

diff --git a/base/vault-namespace/rbac.yaml b/base/vault-namespace/rbac.yaml
@@ -12,13 +12,3 @@ rules:
   - apiGroups: [""]
     resources: ["secrets"]
     verbs: ["get", "create", "update", "patch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: vault-pki
-rules:
-  # Used by vault-pki-manager to update secrets with certificates
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "create", "update", "patch"]
diff --git a/base/vault-namespace/vault-pki.yaml b/base/vault-namespace/vault-pki.yaml
diff --git a/example/cluster-wide/rbac.yaml b/example/cluster-wide/rbac.yaml
@@ -11,17 +11,3 @@ subjects:
     name: vault
     # Placeholder, patch with the vault namespace value
     namespace: example
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: vault-pki
-roleRef:
-  kind: ClusterRole
-  name: vault-pki
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-  - kind: ServiceAccount
-    name: vault-pki
-    # Placeholder, patch with the vault namespace value
-    namespace: example
diff --git a/example/vault-namespace/rbac.yaml b/example/vault-namespace/rbac.yaml
@@ -11,17 +11,3 @@ subjects:
     name: vault
     # Placeholder, patch with the vault namespace value
     namespace: example
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: vault-pki
-roleRef:
-  kind: Role
-  name: vault
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-  - kind: ServiceAccount
-    name: vault-pki
-    # Placeholder, patch with the vault namespace value
-    namespace: example