Skip to content

Unit 2: HashiCorp Vault PKI — dynamic certificates and secret management #47

New issue
New issue
Open
Open
Unit 2: HashiCorp Vault PKI — dynamic certificates and secret management#47
Assignees
TeoSlayer
Milestone
Phase 7: Policy & Compliance Engines
@TeoSlayer

Description

@TeoSlayer
TeoSlayer
opened on Mar 27, 2026

Scope

Vault's PKI secrets engine as the CA for Pilot network enrollment. Vault handles identity verification (AppRole, K8s auth, cloud IAM) and issues short-lived certificates.

Deliverables

  • Vault PKI integration: daemon requests certificate from Vault PKI mount
  • Vault auth methods: AppRole, Kubernetes, AWS IAM, GCP IAM, Azure MSI
  • Short-lived certificates: hours not months, automatic renewal
  • Dynamic join tokens: Vault Transit engine generates single-use, time-limited join tokens
  • Revocation via Vault: revoking cert in Vault propagates to Pilot CRL
  • Setup guide: Vault PKI mount configuration, role definition, auth method setup

Files

  • pkg/daemon/vault.go — Vault client, certificate request
  • tests/ — Vault integration tests (mock Vault server)

Priority: HIGH

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions