-
Notifications
You must be signed in to change notification settings - Fork 323
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Vault server running with TLS #874
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ishustava
commented
Nov 23, 2021
ishustava
commented
Nov 23, 2021
ishustava
requested review from
kschoche,
a team and
t-eckert
and removed request for
a team
November 23, 2021 22:33
kschoche
reviewed
Nov 24, 2021
kschoche
reviewed
Nov 24, 2021
kschoche
reviewed
Nov 24, 2021
kschoche
reviewed
Nov 24, 2021
kschoche
reviewed
Nov 24, 2021
kschoche
reviewed
Nov 24, 2021
t-eckert
approved these changes
Nov 30, 2021
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great! Apologies for taking so long to get back to you on this review.
kschoche
approved these changes
Dec 1, 2021
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Amazing work @ishustava thanks for getting to this!!!!!!!!!!!
ishustava
added a commit
that referenced
this pull request
Dec 2, 2021
* Change vault cluster in acceptance tests to only run with TLS. All tests will run against vault with TLS because that is the use case we think will be the most valuable for users to test * Support adding Vault CA as a secret to pods that will be using vault agent. We need to add two annotations to pods: * vault.hashicorp.com/agent-extra-secret with the value of the vault CA secret name. The secret will be mounted to vault agent at /vault/custom path. See docs here * vault.hashicorp.com/ca-cert - with the path of the ca file inside the vault agent container. This should be /vault/custom/<secret key> * Most pods will only need those annotations. The server pods also need the Vault CA secret to be mounted as a volume because it needs the CA to be on the file system for the vault connect CA provider.
ishustava
added a commit
that referenced
this pull request
Dec 2, 2021
* Change vault cluster in acceptance tests to only run with TLS. All tests will run against vault with TLS because that is the use case we think will be the most valuable for users to test * Support adding Vault CA as a secret to pods that will be using vault agent. We need to add two annotations to pods: * vault.hashicorp.com/agent-extra-secret with the value of the vault CA secret name. The secret will be mounted to vault agent at /vault/custom path. See docs here * vault.hashicorp.com/ca-cert - with the path of the ca file inside the vault agent container. This should be /vault/custom/<secret key> * Most pods will only need those annotations. The server pods also need the Vault CA secret to be mounted as a volume because it needs the CA to be on the file system for the vault connect CA provider.
kschoche
added a commit
that referenced
this pull request
Dec 7, 2021
* Support Vault server running with TLS (#874) * Change vault cluster in acceptance tests to only run with TLS. All tests will run against vault with TLS because that is the use case we think will be the most valuable for users to test * Support adding Vault CA as a secret to pods that will be using vault agent. We need to add two annotations to pods: * vault.hashicorp.com/agent-extra-secret with the value of the vault CA secret name. The secret will be mounted to vault agent at /vault/custom path. See docs here * vault.hashicorp.com/ca-cert - with the path of the ca file inside the vault agent container. This should be /vault/custom/<secret key> * Most pods will only need those annotations. The server pods also need the Vault CA secret to be mounted as a volume because it needs the CA to be on the file system for the vault connect CA provider. * add terminating and ingress gateways TLS support (#894) * Support TLS with vault for the server-acl-init job (#889) * Support TLS with Vault for the sync catalog deployment (#890) * Support server TLS with vault for the client snapshot agent deployment (#891) Co-authored-by: Iryna Shustava <[email protected]> Co-authored-by: Luke Kysow <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes proposed in this PR:
vault.hashicorp.com/agent-extra-secret
with the value of the vault CA secret name. The secret will be mounted to vault agent at/vault/custom
path. See docs herevault.hashicorp.com/ca-cert
- with the path of the ca file inside the vault agent container. This should be/vault/custom/<secret key>
How I've tested this PR:
acceptance tests
How I expect reviewers to test this PR:
👀
Checklist: