TLS Protect for Kubernetes
Log inCreate account
Important Announcement!

This deprecated version of TLS Protect for Kubernetes, originally known as Jetstack Secure, will be PERMANENTLY SHUTDOWN on May 19, 2025. If you're still using this version, please work with your CyberArk/Venafi account team to transition to the current version of TLS Protect for Kubernetes.

isolated-issuer Signers Configuration

Signers can be configured to use either:

  • a File,
  • an In Memory data store,
  • HashiCorp Vault

File

The File signer has a single option for configuring file path locations for the CA certificate and private key which are to be used for signing.

...
signer:
  file:
    # file path location to store the PEM encoded intermediate private key
    privateKeyFile: key.pem


    # file path location to store the PEM encoded intermediate CA certificate
    certificateFile: crt.pem
Copy to clipboard

In Memory

The in memory signer configures isolated-issuer to store the intermediate CA certificate and private key entirely in memory. Note that in memory storage is volatile, and as such the certificate and key will be lost when isolated-issuer exits.

...
signer:
  inMemory: true
Copy to clipboard

Vault

Vault can sign certificates through the PKI secrets engine.

It's important to note that Vault doesn't allow the export of CA private keys except when an issuing certificate is generated. As such, once a bootstrapped CA is stored in Vault it cannot be retrieved later and isolated-issuer doesn't retain the private key locally.

All signing happens entirely within Vault, using the sign-verbatim API.

The Vault signer writes intermediate CA certificates to the signerPath location. Any CA located at signerPath will be overwritten when issuance is required, regardless of whether or not the location is empty.

Similar to Vault bootstrapping, a PKI path must already be enabled in order for isolated-issuer to sign using Vault. For example, using the Vault CLI:

export SIGNER_PATH="mysigner"


# 1. Create the path in Vault
vault secrets enable -path=$SIGNER_PATH pki


# 2. Set the max duration of issued certs under this path
vault secrets tune -max-lease-ttl=24h $SIGNER_PATH
Copy to clipboard

To run a local development server for testing, use:

vault server -dev -dev-root-token-id="abc"
Copy to clipboard

Finally, configure isolated-issuer to sign using Vault:

signer:
  vault:
    signerPath: mysigner
    instance:
      url: http://127.0.0.1:8200
      apiToken: "abc"
      # namespace: "mynamespace"  # optional, set the Vault namespace
Copy to clipboard

Vault Permissions

Signing using Vault requires access to the following endpoints for the configured signerPath:

  • GET signerPath/cert/ca: Checking for an already-existing signing CA
  • POST signerPath/config/ca: Writing a freshly bootstrapped CA
  • POST signerPath/sign-verbatim: Signing CSRs using the configured CA

See Vault Permissions for a complete guide to creating an isolated-issuer policy in Vault and then generating tokens to pass to isolated-issuer.

On this page