Requires Helm v3 installed > https://helm.sh/docs/intro/install/
Requires vault > https://www.vaultproject.io/downloads
-
Create OpenShift Project.
oc new-project cert-manager -
Add jetstack helm repository.
helm repo add jetstack https://charts.jetstack.io helm repo update
-
Launch the helm installation
helm upgrade --install \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ --version v1.5.4 \ --set installCRDs=true -
Test the installation
oc apply -f test/test-resource.yaml -n cert-manager
-
Configure Helm Repository
helm repo add hashicorp https://helm.releases.hashicorp.com helm search repo hashicorp/vault -
Install Vault
oc new-project hashicorp helm install vault hashicorp/vault -f vault/standalone.yaml -
Init Vault and Unseal
oc rsh vault-0 vault operator init -key-shares=1 -key-threshold=1 Unseal Key 1: xxx Initial Root Token: xxx export KEYS=xxx export VAULT_TOKEN=xxx vault operator unseal $KEYS -
Enable Kubernetes Auth
JWT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) KUBERNETES_HOST=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 vault auth enable --tls-skip-verify kubernetes vault write --tls-skip-verify auth/kubernetes/config token_reviewer_jwt=$JWT kubernetes_host=$KUBERNETES_HOST kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-
Setup PKI engine for each environment
Unseal Vault before!!
export VAULT_ADDR=https://$(oc get route vault --no-headers -o custom-columns=HOST:.spec.host -n hashicorp) export VAULT_TOKEN=xxx export WILDCARD=apps.cluster-7bcd.7bcd.sandbox334.opentlc.com export PROJECT=app-dev sh vault/pki/setup.sh ${PROJECT} ${WILDCARD} -
Configure SA issuer on the target project.
helm upgrade --install ${PROJECT} vault/issuer -n ${PROJECT} -
Install Issuer
helm upgrade --install ${PROJECT} vault/issuer -n ${PROJECT} --set issuer.create=true -
Verify Dummy Certificate Secret is created
oc get secret ${PROJECT}-issuer-dummy-cert -n ${PROJECT}