我已将 Vault 配置为仅允许 mTLS,因此客户端需要提供证书才能访问任何 Vault API。
检查了颁发者的证书管理器 API 文档(https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.VaultIssuer),但没有任何字段允许我指定客户端证书和密钥。不确定这是否是 cert-manager 的限制,我应该禁用 mTLS,只禁用服务器端的 TLS。
我当前的issuer-vault.yaml文件。我认为应该有一些密钥,例如clientCert和clientKeyunder spec.vault,但在 cert-manager CRD 中找不到它。
cat > issuer-vault.yaml <<EOF
apiVersion: cert-manager.io/v1
# use ClusterIssuer so that we don't have to create an Issuer for each namespace.
kind: ClusterIssuer
metadata:
name: vault-issuer
spec:
vault:
# we use FQDN here because vault is deployed in another namespace. Otherwise DNS query will
# just limited to this namespace
server: https://vault.vault.svc.cluster.local:8200
path: pki/sign/fiduciaedge-work
caBundle: $CA_BUNDLE
auth:
kubernetes:
role: cert-manager-issuer
mountPath: /v1/auth/kubernetes
secretRef:
name: $ISSUER_SECRET_REF
key: token
EOF