wip

2024-01-25 17:07:18 +01:00 · 2024-01-25 17:07:18 +01:00 · d410d564f3
commit d410d564f3
parent 2eed379533
5 changed files with 162 additions and 0 deletions
--- a/clusters/cherry/manifests/vault/ca.yaml
+++ b/clusters/cherry/manifests/vault/ca.yaml
@ -0,0 +1,33 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: server-selfsigned-ca
+spec:
+  isCA: true
+  commonName: Vault Server CA
+  secretName: server-ca
+  duration: 87660h # 10 years
+  privateKey:
+    algorithm: RSA
+    size: 4096
+  issuerRef:
+    name: selfsigned
+    kind: Issuer
+    group: cert-manager.io
+  additionalOutputFormats:
+    - type: CombinedPEM
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: server-ca-issuer
+spec:
+  ca:
+    secretName: server-ca
--- a/clusters/cherry/manifests/vault/certificate.yaml
+++ b/clusters/cherry/manifests/vault/certificate.yaml
@ -0,0 +1,21 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: server
+spec:
+  secretName: server-tls
+  duration: 24h
+  renewBefore: 144m # 10% of 24h
+  dnsNames:
+    - vault-0.vault-internal
+    - vault-1.vault-internal
+    - vault-2.vault-internal
+    - vault-0.vault-internal.vault
+    - vault-1.vault-internal.vault
+    - vault-2.vault-internal.vault
+    - vault-0.vault-internal.vault.svc
+    - vault-1.vault-internal.vault.svc
+    - vault-2.vault-internal.vault.svc
+  issuerRef:
+    name: server-ca-issuer
+  commonName: Server Certificate