Instructions for configuring Vault for CA integration

Docs for using Hashicorp Vault CA with Istio: https://istio.io/docs/tasks/security/vault-ca/

In those docs, it explains how to configure Istio, but assumes that you already have Vault running and properly configured to work as a CA. For example, it says that the Node agent authenticates to Vault using the service account, which implies that the Kubernetes auth method has already been configured.

It also assumes the Vault server has a PKI backend mounted, so that istio_ca/sign/istio-pki-role is a working path. And that the Node Agent service account has the proper vault permissions to get a CSR signed.

Does anyone have docs or a Terraform script or something to configure Vault with all those requirements? With some work I could reverse-engineer them. But I think it would make that security task way easier to follow if it gave some guidance on configuring Vault to work with the assumptions made.

I’d be happy to help update the docs with that information if someone has it handy.

Thanks in advance!

Hi Jon,
Thank you for your feedback! I will create a PR on https://github.com/istio/istio.io to provide more guidance on configuring Vault. I will post the link to the PR in this thread after the PR is created. Thanks!

Great, thanks. I’ve got some Terraform code that I think is close to working. Once I confirm it works I’ll share it in a gist.

I have created a PR (https://github.com/istio/istio.io/pull/4432) to provide more guidance on configuring a Vault server.

@jonmoter could you share your terraform gist with me please? I am trying to use Vault and wanted to have a script that does the config for me.
Thanks a lot,
Simone