You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Improve Hashicorp Vault documentation on CA certificates. (#2988)
* Improve Hashicorp Vault documentation on CA certificates.
Hashicorp Vault component documentation for CA related fields
(`caPem`, `caCert` and `caPath`) does not describe the precedence
among those flags and a big ambiguous on what those flags mean.
This PR tries to alliviate that.
Closes#2989
Signed-off-by: Tiago Alves Macambira <[email protected]>
* Apply suggestions from code review
Co-authored-by: Hannah Hunter <[email protected]>
Signed-off-by: Tiago Alves Macambira <[email protected]>
Signed-off-by: Tiago Alves Macambira <[email protected]>
Co-authored-by: Hannah Hunter <[email protected]>
Co-authored-by: Mark Fussell <[email protected]>
| vaultAddr | N | The address of the Vault server. Defaults to `"https://127.0.0.1:8200"` | `"https://127.0.0.1:8200"` |
57
-
| caCert | N | Certificate Authority use only one of the options. The encoded cacerts to use | `"cacerts"` |
58
-
| caPath | N | Certificate Authority use only one of the options. The path to a CA cert file | `"path/to/cacert/file"` |
59
-
| caPem | N | Certificate Authority use only one of the options. The encoded cacert pem to use | `"encodedpem"` |
57
+
| caPem | N | The inlined contents of the CA certificate to use, in PEM format. If defined, takes precedence over `caPath` and `caCert`. | See below |
58
+
| caPath | N | The path to a folder holding the CA certificate file to use, in PEM format. If the folder contains multiple files, only the first file found will be used. If defined, takes precedence over `caCert`. | `"path/to/cacert/holding/folder"` |
59
+
| caCert | N | The path to the CA certificate to use, in PEM format. | `""path/to/cacert.pem"` |
60
60
| skipVerify | N | Skip TLS verification. Defaults to `"false"` | `"true"`, `"false"` |
61
-
| tlsServerName | N | TLS config server name | `"tls-server"` |
61
+
| tlsServerName | N | The name of the server requested during TLS handshake in order to support virtual hosting. This value is also used to verify the TLS certificate presented by Vault server. | `"tls-server"` |
62
62
| vaultTokenMountPath | Y | Path to file containing token | `"path/to/file"` |
63
63
| vaultToken | Y | [Token](https://learn.hashicorp.com/tutorials/vault/tokens) for authentication within Vault. | `"tokenValue"` |
64
64
| vaultKVPrefix | N | The prefix in vault. Defaults to `"dapr"` | `"dapr"`, `"myprefix"` |
Notice that the name of the secret (`mysecret`) is not repeated in the result.
112
+
Notice that the name of the secret (`mysecret`) is not repeated in the result.
113
113
114
114
115
+
## TLS Server verification
116
+
117
+
The fields `skipVerify`, `tlsServerName`, `caCert`, `caPath`, and `caPem` control if and how Dapr verifies the vault server's certificate while connecting using TLS/HTTPS.
118
+
119
+
### Inline CA PEM caPem
120
+
121
+
The `caPem` field value should be the contents of the PEM CA certificate you want to use. Given PEM certificates are made of multiple lines, defining that value might seem challenging at first. YAML allows for a few ways of [defining a multiline values](https://yaml-multiline.info/).
122
+
123
+
Below is one way to define a `caPem` field.
124
+
125
+
```yaml
126
+
apiVersion: dapr.io/v1alpha1
127
+
kind: Component
128
+
metadata:
129
+
name: vault
130
+
spec:
131
+
type: secretstores.hashicorp.vault
132
+
version: v1
133
+
metadata:
134
+
- name: vaultAddr
135
+
value: https://127.0.0.1:8200
136
+
- name: caPem
137
+
value: |-
138
+
-----BEGIN CERTIFICATE-----
139
+
<< the rest of your PEM file content's here, indented appropriately. >>
140
+
-----END CERTIFICATE-----
141
+
```
142
+
115
143
## Related links
116
144
- [Secrets building block]({{< ref secrets >}})
117
145
- [How-To: Retrieve a secret]({{< ref "howto-secrets.md" >}})
0 commit comments