Vault PKI configuration

This page contains an example configuration of Vault Public Key Infrastructure (PKI)

Vault server is not a part of Universe.

You can install and configure Vault server by following the official documentation

If you are going to use the existing Vault server, you should have permissions on this server to initialize PKI (Public Key Infrastructure) and create approles for Universe components.

Copy
Copied!
            

export VAULT_ADDR=<your_vault_server_address> vault login


Copy
Copied!
            

vault auth enable approle


Copy
Copied!
            

# create PKI vault secrets enable -description "universe PKI" --path=pki_universe --max-lease-ttl=87600h pki # generate CA for PKI vault write pki_universe/root/generate/internal ttl=87600h # create local role vault write pki_universe/roles/local allowed_domains=local allow_subdomains=true max_ttl=720h # create policy which allow cert issue cat << 'EOF' | vault policy write pki_universe_local_issue - path "pki_universe/issue/local" { capabilities = ["create", "update"] } EOF


Copy
Copied!
            

vault write -format=json pki_universe/issue/local common_name=cloud-admin.local ttl=87600h


Note

This command prints JSON with certificates to STDOUT. Copy this output and save it to a file (for example, to ~/universe-grpc-workspace/api_gw_certs.json) on a host from which you plan to use GRPC API manually. Manual GRPC API usage document contains detailed instructions about how to use these certificates to access GRPC API.

Copy
Copied!
            

vault write auth/approle/role/api-gateway token_policies=pki_universe_local_issue vault read -field=role_id auth/approle/role/api-gateway/role-id vault write -force -field=secret_id auth/approle/role/api-gateway/secret-id


Note

Write down role_id and secret_id you will need them later

Copy
Copied!
            

# replace tenant1 in all commands to generate role for a different tenant vault write auth/approle/role/tenant1 token_policies=pki_universe_local_issue vault read -field=role_id auth/approle/role/tenant1/role-id vault write -force -field=secret_id auth/approle/role/tenant1/secret-id


Note

Write down role_id and secret_id you will need them later

Previous Deploy Vault server in infrastructure cluster
Next Create Kubernetes cluster with Kubespray
© Copyright 2023, NVIDIA. Last updated on Feb 7, 2024.