K
Q

Kubernetes - cert-manager - error while creating the issuer that uses Hashicorp Vault

4/21/2020

I have created a vault cluster that uses OpenSSL self-signed certs generated by terraform-aws-vault module

I am getting following error when I tried to create an issuer resource in Kubernetes which uses this Vault cluster.

validation failure list:
spec.vault.caBundle in body must be of type byte: "../certs/vault-cabundle.pem"

This is my issuer yaml file

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: vault-clusterissuer
spec:
  vault:
    path: pki_int/sign/cert-manager
    server: https://vault-cluster.example.com:8200
    caBundle: /etc/ssl/certs/istio-ingress/vault-cabundle.pem
    auth:
      appRole:
        path: approle
        roleId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 
        secretRef:
          name: cert-manager-vault-approle
          key: secretId

I have used this command for base64 encrypting the caBundle file -

openssl base64 -in cabundle.pem -out vault-cabundle.pem

Any help on this is highly appreciated.

-- Devesh mehta
cert-manager
hashicorp-vault
kubernetes

Similar Questions

Services can't communicate because there is not DNS resolving in Kubernetes
kubernetes (rancher) ingress understanding
is it possible to shard Vistess with the secondary sharding Key
How to schedule gitlab-runner pods on worker nodes only?

1 Answer

4/22/2020

That seems to be due to the expected format in yaml file for attribute caBundle. I couldn't find a documented schema for it. But, I found an example https://github.com/kubernetes/kubernetes/issues/61171. The caBundle seems to be taking a single line of string which is base64. I have tested this and it works for me.

It should work if you place entire base64 encoded file in one line and put it against caBundle. Refer to the link posted for an example.

-- Technoshaft
Source: StackOverflow