Using HashiCorp Vault as Ingress TLS Certificate Issuer in TAP
Using HashiCorp Vault as Ingress TLS Certificate Issuer in TAP
Tanzu Application Platform (TAP) uses Contour HTTPProxy resources to expose several web components externally via ingress. Some of these components include the API Auto Registration, API Portal, Application Live View, Metadata Store, and TAP GUI. Web workloads deployed through TAP also leverage the same method for their ingress resources. For example:
$ kubectl get httpproxy -A
NAMESPACE NAME FQDN TLS SECRET STATUS STATUS DESCRIPTION
api-auto-registration api-auto-registration-controller api-auto-registration.tap.cloudnativeapps.cloud api-auto-registration-cert valid Valid HTTPProxy
api-portal api-portal api-portal.tap.cloudnativeapps.cloud api-portal-tls-cert valid Valid HTTPProxy
app-live-view appliveview appliveview.tap.cloudnativeapps.cloud appliveview-cert valid Valid HTTPProxy
metadata-store amr-cloudevent-handler-ingress amr-cloudevent-handler.tap.cloudnativeapps.cloud amr-cloudevent-handler-ingress-cert valid Valid HTTPProxy
metadata-store amr-graphql-ingress amr-graphql.tap.cloudnativeapps.cloud amr-ingress-cert valid Valid HTTPProxy
metadata-store metadata-store-ingress metadata-store.tap.cloudnativeapps.cloud ingress-cert valid Valid HTTPProxy
tap-demo-01 spring-petclinic-contour-76691bbb1936a7b010ca900ce58a3f57spring spring-petclinic.tap-demo-01.svc.cluster.local valid Valid HTTPProxy
tap-demo-01 spring-petclinic-contour-88f827fbdc09abbb4ee2b887bba100edspring spring-petclinic.tap-demo-01.tap.cloudnativeapps.cloud tap-demo-01/route-a4b7b2c7-0a56-48b9-ad26-6b0e06ca1925 valid Valid HTTPProxy
tap-demo-01 spring-petclinic-contour-spring-petclinic.tap-demo-01 spring-petclinic.tap-demo-01 valid Valid HTTPProxy
tap-demo-01 spring-petclinic-contour-spring-petclinic.tap-demo-01.svc spring-petclinic.tap-demo-01.svc valid Valid HTTPProxy
tap-gui tap-gui tap-gui.tap.cloudnativeapps.cloud tap-gui-cert valid Valid HTTPProxy
TAP uses a shared ingress issuer as a centralized certificate authority representation, providing a method to set up TLS for the entire platform. All participating components get their ingress certificates issued by it. This is the recommended best practice for issuing ingress certificates on the platform.
The TAP components inherit the ingress issuer from the shared.ingress_issuer parameter in the tap-values.yaml file, the configuration file of the TAP package. The shared.ingress_issuer parameter refers to the Cert-Manager ClusterIssuer resource.
By default, a self-signed issuer called tap-ingress-selfsigned is used.
$ kubectl get clusterissuer
NAME READY AGE
knative-internal-encryption-issuer True 23m
selfsigned-cluster-issuer True 23m
tap-ingress-selfsigned True 28m
tap-ingress-selfsigned-bootstrap True 28m
When accessing the TAP GUI, for example, when using the self-signed issuer option, you will not get a secure connection since your machine does not trust the issuer. For example:
Since it is self-signed, has limitations, and is not recommended for production use (it’s acceptable for testing and evaluation purposes), it is strongly recommended that you replace the default self-signed issuer with your own issuer.
To use the TAP ingress issuer, your CA must be representable by a Cert-Manager ClusterIssuer. Meaning, that you need your own CA and it must be supported by Cert-Manager, as an external ClusterIssuer. Common examples of such intergrations include HashiCorp Vault, LetsEncrypt, etc.
In a previous post, I published a comprehensive step-by-step guide for the implementation of HashiCorp Vault as an intermediate CA under a Microsoft-based Root CA and covered the integration with Kubernetes Cert-Manager in depth. If you follow this guide, you can set the shared.ingress_issuer to a Vault-based ClusterIssuer. For example:
shared:
ingress_domain: tap.cloudnativeapps.cloud
ingress_issuer: vault-cluster-issuer
...
That way, you will be able to dynamically consume trusted certificates from your CA through Vault for your TAP environment and ensure all components use a trusted CA for TLS.
