Store KOPS CA key and certificate in Vault

2/3/2022

I've recently started using KOPS as a tool to provision Kubernetes clusters and from what I've seen so far, it stores it's CA key and certificates in its S3 bucket, which is fine.

But out curiosity, would it be possible to store these in Hashicorp Vault instead, as opposed to s3?

-- Metro
ca
hashicorp-vault
kops
kubernetes
vault

1 Answer

2/3/2022

But out curiosity, would it be possible to store these in Hashicorp Vault instead, as opposed to s3?

Yes. User Matt Schuchard has mentioned in the comment:

Yes you can store them in the KV2 secrets engine, or use the PKI secrets engine to generate them instead.

For more details look at this kops documentation. The most interesting part should be Node authentication and configuration:

The vault store uses IAM auth to authenticate against the vault server and expects the vault auth plugin to be mounted on /aws.

Instructions for configuring your vault server to accept IAM authentication are at https://learn.hashicorp.com/vault/identity-access-management/iam-authentication

To configure kOps to use the Vault store, add this to the cluster spec:

spec:
  secretStore: vault://<vault>:<port>/<kv2 mount>/clusters/<clustername>/secrets
  keyStore: vault://<vault>:<port>/<kv2 mount>/clusters/<clustername>/keys

Look also at this hashicorp site.

-- Mikołaj Głodziak
Source: StackOverflow