[VaultPKISecret] Populate ca.crt from the vault issuing_ca

[djds]

Populate ca.crt from the vault issuing_ca field the Kubernetes secret created by VaultPKISecret if the target secret is of type kuberntes.io/tls. Many Kubernetes applications expect a CA to be located at that key and this would obviate the need for separate CA ConfigMaps or Secrets in many cases. This is especially useful because Vault works great as a cluster CA, but would also simplify the rollout of new trust anchors when the CA is updated or rotated.

[nia-potato]

I also have this requirement, and is blocking deployment, we cannot expect to not auto populate caCertSecret when rolling out vso to clusters.

[tvoran]

BTW, this can now be done using a template:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultPKISecret
metadata:
  name: example
spec:
  ...
  destination:
    name: pki1
    transformation:
      templates:
          ca.crt:
            text: |
              {{- printf "%s" (get .Secrets "issuing_ca") -}}

[benashz]

BTW, this can now be done using a template:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultPKISecret
metadata:
  name: example
spec:
  ...
  destination:
    name: pki1
    transformation:
      templates:
          ca.crt:
            text: |
              {{- printf "%s" (get .Secrets "issuing_ca") -}}

Indeed, secrets transformations should now be honoured for kuberntes.io/tls Secret type. That requires v0.7.0 or greater.