Vault PKI configuration
This page contains an example configuration of Vault Public Key Infrastructure (PKI)
Vault server is not a part of Universe.
You can install and configure Vault server by following the official documentation
If you are going to use the existing Vault server, you should have permissions on this server to initialize PKI (Public Key Infrastructure) and create approles for Universe components.
export VAULT_ADDR=<your_vault_server_address>
vault login
vault auth enable approle
# create PKI
vault secrets enable -description "universe PKI" --path=pki_universe --max-lease-ttl=87600h pki
# generate CA for PKI
vault write pki_universe/root/generate/internal ttl=87600h
# create local role
vault write pki_universe/roles/local allowed_domains=local allow_subdomains=true max_ttl=720h
# create policy which allow cert issue
cat << 'EOF' | vault policy write pki_universe_local_issue -
path "pki_universe/issue/local"
{
capabilities = ["create", "update"]
}
EOF
vault write -format=json pki_universe/issue/local common_name=cloud-admin.local ttl=87600h
This command prints JSON with certificates to STDOUT.
Copy this output and save it to a file (for example, to ~/universe-grpc-workspace/api_gw_certs.json
)
on a host from which you plan to use GRPC API manually.
Manual GRPC API usage document contains detailed instructions about
how to use these certificates to access GRPC API.
vault write auth/approle/role/api-gateway token_policies=pki_universe_local_issue
vault read -field=role_id auth/approle/role/api-gateway/role-id
vault write -force -field=secret_id auth/approle/role/api-gateway/secret-id
Write down role_id and secret_id you will need them later
# replace tenant1 in all commands to generate role for a different tenant
vault write auth/approle/role/tenant1 token_policies=pki_universe_local_issue
vault read -field=role_id auth/approle/role/tenant1/role-id
vault write -force -field=secret_id auth/approle/role/tenant1/secret-id
Write down role_id and secret_id you will need them later