-
Notifications
You must be signed in to change notification settings - Fork 50
/
tls-secrets.yaml
36 lines (36 loc) · 1.2 KB
/
tls-secrets.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# Generate a self-signed CA, and server and client certificates signed by that CA,
# lasting 31 days and 30 days respectively.
#
# In the context of these certificates, Vault takes the server role and the CSI
# provider will be the client.
{{ $ca := genCA "svc-vault-ca" 31 }}
{{ $dns1:= printf "vault.%s.svc.cluster.local" .Release.Namespace }}
{{ $dns2 := printf "vault.%s.svc" .Release.Namespace }}
{{ $dns3 := printf "vault.%s" .Release.Namespace }}
{{ $dns4 := "vault" }}
{{ $server := genSignedCert $dns1 (list "127.0.0.1") (list $dns1 $dns2 $dns3 $dns4) 30 $ca }}
{{ $client := genSignedCert "" nil (list $dns1 $dns2 $dns3 $dns4) 30 $ca }}
---
apiVersion: v1
kind: Secret
metadata:
name: vault-server-tls
namespace: {{ .Release.namespace }}
labels:
app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
ca.crt: {{ b64enc $ca.Cert }}
server.crt: {{ b64enc $server.Cert }}
server.key: {{ b64enc $server.Key }}
---
apiVersion: v1
kind: Secret
metadata:
name: vault-client-tls
namespace: {{ .Release.namespace }}
labels:
app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
ca.crt: {{ b64enc $ca.Cert }}
client.crt: {{ b64enc $client.Cert }}
client.key: {{ b64enc $client.Key }}