Custom Certificate Authority for database/Kafka access

    Vault uses client-side verification when interacting with the database and/or Kafka (i.e. not

    mutual TLS􀕅; this means the server certificate used by the database/Kafka must be trusted by

    Vault. If your database and/or Kafka cluster uses a self-signed certificate, you will need to

    provide the Certificate Authority 􀕄CA􀕅 that signed the database and/or Kafka server

    certificate(s), so that Vault can add it to its trust chain.

    Configuring a custom Certificate Authority

    Step Action

    1. Ensure that you have the package ca-injector-webhook-pkg in your packages.txt. This is a

    webhook that will add an init-container to the deployments of a namespace. This

    init-container will inject your CA certificates.

    2. If you are using one, ensure that the firewall between your cluster control plane and worker

    nodes allows access to the port 10000 of the ca-injector-webhook. See Appendix E􀖀

    Webhook Ports in Vault Cloud Infrastructure for more details.

    3. Before installing Vault, label the Vault namespace to enable CA injection: 

