stackoom
  简体   繁体   中英

add organization to subject field with terraform's vault provider

 原文  2022-11-16 22:32:58       terraform/ ssl-certificate/ hashicorp-vault

Question

I'm trying to provision a kube.netes cluster by creating all the certificates through vault first. It somehow makes it easy in the context of terraform, because I can insert all this information in the cloudinit config, so I don't have to rely on a node being ready and then transfer data from one to another.

In any case, the problem that I have is that vault_pki_secret_backend_cert doesn't seem to support any change to the subject field except for common_name ( https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/pki_secret_backend_cert ), whereas kube.netes relies on these types of certificates where the organization is specified. For example:

Subject: O = system:masters, CN = kube-etcd-healthcheck-client

I'm generating these certificates by directly using vault's intermediate certificate, so the private key is in vault. I cannot generate them separately, and I wouldn't want that anyway, because I'm trying to provision basically everything using terraform.

Any ideas how I can get around this issue?

1 answers

solution1
 0  2022-11-17 17:32:30

I was able to find out the answer eventually. The only way to do this with terraform/vault seems to be configuring the backend role and add the organization parameter in that role: https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/cert_auth_backend_role .

For example, you define the role:

resource "vault_pki_secret_backend_role" "etcd_ca_clients" {
  depends_on       = [ vault_pki_secret_backend_intermediate_set_signed.kube1_etcd_ca ]
  backend          = vault_mount.kube1_etcd_ca.path
  name             = "kubernetes-client"
  ttl              = 3600
  allow_ip_sans    = true
  key_type         = "ed25519"
  allow_any_name   = true
  allowed_domains  = ["*"]
  allow_subdomains = true
  organization     = [ "system:masters" ]
}

And here you tell vault to generate the certificate based on that role:

resource "vault_pki_secret_backend_cert" "etcd_healthcheck_client" {
        for_each = { for k, v in var.kubernetes_servers : k => v if startswith(k, "etcd-") }
        depends_on = [vault_pki_secret_backend_role.etcd_ca_clients]
        backend = vault_mount.kube1_etcd_ca.path
        name = vault_pki_secret_backend_role.etcd_ca_clients.name
        common_name = "kube-etcd-healthcheck-client"
}

The limitation makes no sense whatsoever to me, but if you don't a bulk of very different certificates, it's not all too bad and you don't have to repeat a lot of code.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Provider Configuration for vault in terraform How to add metadata to approle entity using vault provider for terraform Permission denied on Vault Terraform provider token creation Handling Openstack provider credentials in Terraform without vault Secure management plane's key vault in Terraform Terraform profile field usage in AWS provider This field cannot be set - Terraform custom provider How to use terraform template to add an Azure VM into a recovery service vault? Terraform Provider issue: registry.terraform.io/hashicorp/s3 Store OCI Terraform Provider Variables as Secrets in Azure Key Vault and Execute via Azure DevOps Pipeline
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM