Browse Source

docs: add TLS certificate authentication example for Vault provider (#6212)

Co-authored-by: Gergely Bräutigam <gergely.brautigam@sap.com>
Ali Asghar 2 months ago
parent
commit
78899a8914
2 changed files with 50 additions and 1 deletions
  1. 9 1
      docs/provider/hashicorp-vault.md
  2. 41 0
      docs/snippets/vault-cert-store.yaml

+ 9 - 1
docs/provider/hashicorp-vault.md

@@ -378,7 +378,15 @@ set of AWS Programmatic access credentials stored in a `Kind=Secret` and referen
 
 #### TLS certificates authentication
 
-[TLS certificates auth method](https://developer.hashicorp.com/vault/docs/auth/cert)  allows authentication using SSL/TLS client certificates which are either signed by a CA or self-signed. SSL/TLS client certificates are defined as having an ExtKeyUsage extension with the usage set to either ClientAuth or Any.
+[TLS certificates auth method](https://developer.hashicorp.com/vault/docs/auth/cert) allows authentication using SSL/TLS client certificates which are either signed by a CA or self-signed. SSL/TLS client certificates are defined as having an ExtKeyUsage extension with the usage set to either ClientAuth or Any.
+
+To use TLS certificate authentication, create a `kubernetes.io/tls` Secret containing the client certificate and private key, then reference it in the SecretStore. The Secret keys must be `tls.crt` and `tls.key`. If your Vault server uses a custom or private CA, also configure `caProvider` or `caBundle` so that ESO can verify the server certificate.
+
+```yaml
+{% include 'vault-cert-store.yaml' %}
+```
+
+**NOTE:** For a `ClusterSecretStore`, you must specify `namespace` in both `clientCert` and `secretRef` to indicate where the TLS Secret resides.
 
 ### Mutual authentication (mTLS)
 

+ 41 - 0
docs/snippets/vault-cert-store.yaml

@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vault-tls-cert
+  namespace: external-secrets
+type: kubernetes.io/tls
+stringData:
+  tls.crt: |
+    -----BEGIN CERTIFICATE-----
+    <your-client-certificate>
+    -----END CERTIFICATE-----
+  tls.key: |
+    -----BEGIN PRIVATE KEY-----
+    <your-client-private-key>
+    -----END PRIVATE KEY-----
+---
+apiVersion: external-secrets.io/v1
+kind: ClusterSecretStore
+metadata:
+  name: vault-cert-auth
+spec:
+  provider:
+    vault:
+      server: "https://vault.example.com"
+      path: "secret"
+      version: "v2"
+      caProvider:
+        type: "ConfigMap"
+        namespace: "external-secrets"
+        name: "vault-ca-bundle"
+        key: "ca.crt"
+      auth:
+        cert:
+          clientCert:
+            name: vault-tls-cert
+            namespace: "external-secrets"
+            key: tls.crt
+          secretRef:
+            name: vault-tls-cert
+            namespace: "external-secrets"
+            key: tls.key