Configure Vault as a certificate authority for cert-manager #4
Description
Is your feature request related to a problem? Please describe.
At present, the cluster uses a self signed root certificate intended for boostrapping / testing:
https://cert-manager.io/docs/configuration/selfsigned/
⚠️ SelfSigned issuers are generally useful for bootstrapping a PKI locally, which is a complex topic for advanced users. To be used safely in production, running a PKI introduces complex planning requirements around rotation, trust store distribution and disaster recovery.
A working cluster needs good secret management. Vault offers a centralised secret management service which handles secret rotation allowing secrets to be ephemeral, as well as providing other cryptographic APIs.
Describe the solution you'd like
See:
- https://cert-manager.io/docs/configuration/vault/
- https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-cert-manager
Describe alternatives you've considered
Cert manager can be configured with a variety of Issuers:
https://cert-manager.io/docs/configuration/
We may also consider having a vault service run outside the cluster, or even a second instance for HA / disaster recovery.
Vault seems to be the most secure way of issuing / managing certificates on a local network not exposed to the internet.
Additional context
These third party guides may be useful / provide additional context: