Skip to main content

OpenBao agent injector TLS with Cert-Manager

The following instructions demonstrate how to configure the OpenBao Agent Injector to use certificates generated by cert-manager. This allows you to run multiple replicas of the OpenBao Agent Injector in a Kubernetes cluster.

Prerequisites

Install cert-manager if not already installed (see the cert-manager documentation). For example, with helm:

$ helm repo add jetstack https://charts.jetstack.io
$ helm repo update
$ helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--set installCRDs=true

Create a certificate authority (CA)

For this example we will bootstrap a self-signed certificate authority (CA) Issuer. If you already have a ClusterIssuer configured for your cluster, you may skip this step.

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: injector-selfsigned-ca
spec:
isCA: true
commonName: Agent Inject CA
secretName: injector-ca-secret
duration: 87660h # 10 years
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned
kind: Issuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: injector-ca-issuer
spec:
ca:
secretName: injector-ca-secret

Save that to a file named ca-issuer.yaml, and apply to your Kubernetes cluster:

$ kubectl apply -n openbao -f ca-issuer.yaml
issuer.cert-manager.io/selfsigned created
certificate.cert-manager.io/injector-selfsigned-ca created
issuer.cert-manager.io/injector-ca-issuer created

$ kubectl -n openbao get issuers -o wide
NAME READY STATUS AGE
injector-ca-issuer True Signing CA verified 7s
selfsigned True 7s

$ kubectl -n openbao get certificates injector-selfsigned-ca -o wide
NAME READY SECRET ISSUER STATUS AGE
injector-selfsigned-ca True injector-ca-secret selfsigned Certificate is up to date and has not expired 32s

Create the OpenBao agent injector certificate

Next we can create a request for cert-manager to generate a certificate and key signed by the certificate authority above. This certificate and key will be used by the OpenBao Agent Injector for TLS communications with the Kubernetes API.

The Certificate request object references the CA issuer created above, and specifies the name of the Secret where the CA, Certificate, and Key will be stored by cert-manager.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: injector-certificate
spec:
secretName: injector-tls
duration: 24h
renewBefore: 144m # roughly 10% of 24h
dnsNames:
- openbao-agent-injector-svc
- openbao-agent-injector-svc.openbao
- openbao-agent-injector-svc.openbao.svc
issuerRef:
name: injector-ca-issuer
commonName: Agent Inject Cert
warning

Important Note: The dnsNames for the certificate must be configured to use the name of the OpenBao Agent Injector Kubernetes service and namespace where it is deployed.

In this example the OpenBao Agent Injector service name is openbao-agent-injector-svc in the openbao namespace. This uses the pattern <k8s service name>.<k8s namespace>.svc.

Save the Certificate yaml to a file and apply to your cluster:

$ kubectl -n openbao apply -f injector-certificate.yaml
certificate.cert-manager.io/injector-certificate created

$ kubectl -n openbao get certificates injector-certificate -o wide
NAME READY SECRET ISSUER STATUS AGE
injector-certificate True injector-tls injector-ca-issuer Certificate is up to date and has not expired 41s

$ kubectl -n openbao get secret injector-tls
NAME TYPE DATA AGE
injector-tls kubernetes.io/tls 3 6m59s

Configuration

Now that a certificate authority and a signed certificate have been created, we can now configure Helm and the OpenBao Agent Injector to use them.

Install the OpenBao Agent Injector with the following custom values:

$ helm install openbao openbao/openbao \
--namespace=openbao \
--set injector.replicas=2 \
--set injector.leaderElector.enabled=false \
--set injector.certs.secretName=injector-tls \
--set injector.webhook.annotations="cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/injector-certificate"