Vault uses client-side verification when interacting with the database and/or Kafka (i.e. not

mutual TLS􀕅; this means the server certificate used by the database/Kafka must be trusted by

Vault. If your database and/or Kafka cluster uses a self-signed certificate, you will need to

provide the Certificate Authority 􀕄CA􀕅 that signed the database and/or Kafka server

certificate(s), so that Vault can add it to its trust chain.

Configuring a custom Certificate Authority

Step Action

1. Ensure that you have the package ca-injector-webhook-pkg in your packages.txt. This is a

webhook that will add an init-container to the deployments of a namespace. This

init-container will inject your CA certificates.

2. If you are using one, ensure that the firewall between your cluster control plane and worker

nodes allows access to the port 10000 of the ca-injector-webhook. See Appendix E􀖀

Webhook Ports in Vault Cloud Infrastructure for more details.

3. Before installing Vault, label the Vault namespace to enable CA injection: