Docs for using Hashicorp Vault CA with Istio: https://istio.io/docs/tasks/security/vault-ca/
In those docs, it explains how to configure Istio, but assumes that you already have Vault running and properly configured to work as a CA. For example, it says that the Node agent authenticates to Vault using the service account, which implies that the Kubernetes auth method has already been configured.
It also assumes the Vault server has a PKI backend mounted, so that
istio_ca/sign/istio-pki-role is a working path. And that the Node Agent service account has the proper vault permissions to get a CSR signed.
Does anyone have docs or a Terraform script or something to configure Vault with all those requirements? With some work I could reverse-engineer them. But I think it would make that security task way easier to follow if it gave some guidance on configuring Vault to work with the assumptions made.
I’d be happy to help update the docs with that information if someone has it handy.
Thanks in advance!