• KubeDB

    Run Production-Grade Databases on Kubernetes

    arrow_forward
    Stash

    Backup and Recovery Solution for Kubernetes

    arrow_forward
    KubeVault

    Run Production-Grade Vault on Kubernetes

    arrow_forward
    Voyager

    Secure Ingress Controller for Kubernetes

    arrow_forward
    ConfigSyncer

    Kubernetes Configuration Syncer

    arrow_forward
    Guard

    Kubernetes Authentication WebHook Server

    arrow_forward
    KubeDB

    KubeDB simplifies Provisioning, Upgrading, Scaling, Volume Expansion, Monitor, Backup, Restore for various Databases in Kubernetes on any Public & Private Cloud

    • task_altLower administrative burden
    • task_altNative Kubernetes Support
    • task_altPerformance
    • task_altAvailability and durability
    • task_altManageability
    • task_altCost-effectiveness
    • task_altSecurity
    Stash

    A complete Kubernetes native disaster recovery solution for backup and restore your volumes and databases in Kubernetes on any public and private clouds.

    • task_altDeclarative API
    • task_altBackup Kubernetes Volumes
    • task_altBackup Database
    • task_altMultiple Storage Support
    • task_altDeduplication
    • task_altData Encryption
    • task_altVolume Snapshot
    • task_altPolicy Based Backup
    KubeVault

    KubeVault is a Git-Ops ready, production-grade solution for deploying and configuring Hashicorp's Vault on Kubernetes.

    • task_altVault Kubernetes Deployment
    • task_altAuto Initialization & Unsealing
    • task_altVault Backup & Restore
    • task_altConsume KubeVault Secrets with CSI
    • task_altManage DB Users Privileges
    • task_altStorage Backend
    • task_altAuthentication Method
    • task_altDatabase Secret Engine
    Voyager

    Secure Ingress Controller for Kubernetes

    • task_altHTTP & TCP
    • task_altSSL
    • task_altPlatform support
    • task_altHAProxy
    • task_altPrometheus
    • task_altLet's Encrypt
    configsyncer

    Kubernetes Configuration Syncer

    • task_altConfiguration Syncer
    Guard

    Kubernetes Authentication WebHook Server

    • task_altIdentity Providers
    • task_altCLI
    • task_altRBAC
  • RESOURCES
  • Webinar New
CONTACT SALES
15-Mar-2024

Introducing KubeVault v2024.3.12

author-image
Abdullah Al Shaad

Senior Software Engineer

AppsCode Inc.

Introducing KubeVault v2024.3.12

KubeVault is a Kubernetes operator for HashiCorp Vault . The Vault is a tool for secrets management, encryption as a service, and privileged access management. The KubeVault operator makes it easy to deploy, maintain and manage Vault servers in Kubernetes. It also supports various secret engines’ management, policy management in the Kubernetes native way.

We are very excited to announce the release of KubeVault v2024.3.12 Edition. In this release, the PKI SecretEngine has been added.

In this post, we are going to highlight the major changes. You can find the complete commit by commit changelog here .

PKI SecretEngine

The PKI secrets engine generates dynamic X.509 certificates. With this secret engine, services can get certificates without going through the usual manual process of generating a private key and CSR, submitting to a CA, and waiting for a verification and signing process to complete. Vault’s built-in authentication and authorization mechanisms provide the verification functionality. First, we need to enable a SecretEngine for PKI which works as a CA, and then we can create different roles with different set of rules using PKIRole. Then Vault will generate credentials for the role when user request for credentials.

Root CA

Lets create a RootCA using PKI Secret Engine. The CA is is self signed.

apiVersion: engine.kubevault.com/v1alpha1
kind: SecretEngine
metadata:
  name: pki-root
  namespace: demo
spec:
  vaultRef:
    name: vault
    namespace: demo
  pki:
    isRootCA: true
    commonName: "kubevault.com"
    ttl: "87600h"
  maxLeaseTTL: "48000h"

Intermediate CA

Now, we are going to create an intermediate CA. It is signed by the root CA we have created before.

apiVersion: engine.kubevault.com/v1alpha1
kind: SecretEngine
metadata:
  name: pki-inter
  namespace: demo
spec:
  vaultRef:
    name: vault
    namespace: demo
  pki:
    isRootCA: false
    parentCARef:
      name: pki-root
      namespace: demo
    commonName: "intermediate.kubevault.com"
    ttl: "87600h"

PKI Role

Lets create a PKIRole which will define rules for certificate creation.

apiVersion: engine.kubevault.com/v1alpha1
kind: PKIRole
metadata:
  name: pki-role
  namespace: demo
spec:
  secretEngineRef:
    name: pki-root
  allowedDomains:
  - "kubevault.com"
  - "kubedb.com"
  allowSubdomains: true
  maxTTL: "720h"

Certificates

Now we can request certificates using SecretAccessRequest

apiVersion: engine.kubevault.com/v1alpha1
kind: SecretAccessRequest
metadata:
  name: pki-cred-rqst
  namespace: demo
spec:
  roleRef:
    kind: PKIRole
    name: pki-role
    namespace: demo
  pki:
    commonName: "test.kubevault.com"
    ttl: "24h"
  subjects:
    - kind: ServiceAccount
      name: demo-sa
      namespace: demo

Upon approval, the certificate will be available through a Kubernetes Secret in demo namespace.

What’s Next?

Please try the latest release and give us your valuable feedback.

  • If you want to install KubeVault, please follow the installation instruction from here .

Support

To speak with us, please leave a message on our website .

To receive product announcements, follow us on Twitter .

If you have found a bug with KubeVault or want to request new features, please file an issue .

TAGS

cli hashicorp kubernetes kubevault kubevault-cli pki secret-management security vault

Get Up and Running Quickly

Deploy, manage, upgrade Kubernetes on any cloud and automate deployment, scaling, and management of containerized applications.

CONTACT US