Search code examples
kuberneteskubernetes-ingressclient-certificatesconsulvault

Kubernetes Nginx ingress controller to pickup certificates from Vault or Consul KV store


The kubernetes ingress controller is deployed in my AKS cluster. I am using the following ingress rules configuration for client certificate authentication.

tls-secret, ca-secret are the two secrets containing certificates required for authentication.

Now, my requirement is to get these certificates from Vault or Consul KV store and ingress rules should pick up these certificates from there.

  1. Is there a way nginx ingress rule picks up certificates in other form than kubernetes secrets?

  2. If not, how do we convert vault secrets to kubernetes secrets. Is this a standard way of going about this?

Ingress-rules.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
  meta.helm.sh/release-name: service
  meta.helm.sh/release-namespace: mynamespace
  nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
  nginx.ingress.kubernetes.io/auth-tls-secret: microservices/ca-secret
  nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
  nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3"
  nginx.ingress.kubernetes.io/enable-underscores-in-headers: "true"
name: service-nginx-ingress
namespace: mynamespace
spec:
  ingressClassName: nginx
rules:
- host: ingress-nginx-controller.microservices.com
  http:
    paths:
    - backend:
        service:
          name: service
          port:
            number: 8080
      path: /api/v1/service
      pathType: Prefix
tls:
- hosts:
  - ingress-nginx-controller.microservices.com
  secretName: tls-secret

I tried getting certificates on a pod using vault agent, but couldn't create secrets in the cluster using that data from Vault.


Solution

  • As @larks mentioned, you can use an external secrets operator to pick up certificates in other forms than kubernetes secrets.

    The goal of External Secrets Operator is to synchronize secrets from external APIs into Kubernetes. ESO is a collection of custom API resources - ExternalSecret, SecretStore and ClusterSecretStore that provide a user-friendly abstraction for the external API that stores and manages the lifecycle of the secrets for you.

    External Secrets Operator allows the operator to retrieve secrets from a Kubernetes Cluster - this can be either a remote cluster or the local where the operator runs in. A SecretStore points to a specific namespace in the target Kubernetes Cluster.

    Note- The minimum supported version of Kubernetes is 1.16.0. Users still running Kubernetes v1.15 or below should upgrade to a supported version before installing external-secrets.