Allow custom certificates
It's now possible to use custom certificates for the communication between the Operator and Vault. To use custom certificates you need to set the following environment variables:
VAULT_CACERT: CA certificate to verify the Vault server's SSL certificate.VAULT_CLIENT_CERT: CA certificate to use for TLS authentication to the Vault server.VAULT_CLIENT_KEY: Private key matching the client certificate fromVAULT_CLIENT_CERT.VAULT_SKIP_VERIFY: Disable verification of TLS certificates.VAULT_TLS_SERVER_NAME: Name to use as the SNI host when connecting via TLS.
The environment variables can be set as follows in the Helm chart:
environmentVars:
- envName: VAULT_CACERT
secretName: vault-secrets-operator-tls
secretKey: VAULT_CACERT
- envName: VAULT_CLIENT_CERT
secretName: vault-secrets-operator-tls
secretKey: VAULT_CLIENT_CERT
- envName: VAULT_CLIENT_KEY
secretName: vault-secrets-operator-tls
secretKey: VAULT_CLIENT_KEYThe corresponding secret vault-secrets-operator-tls looks as follows:
apiVersion: v1
kind: Secret
metadata:
name: vault-secrets-operator-tls
data:
VAULT_CACERT: ...
VAULT_CLIENT_CERT: ...
VAULT_CLIENT_KEY: ...
type: Opaque