Unit 2: HashiCorp Vault PKI — dynamic certificates and secret management

[TeoSlayer]

Scope

Vault's PKI secrets engine as the CA for Pilot network enrollment. Vault handles identity verification (AppRole, K8s auth, cloud IAM) and issues short-lived certificates.

Deliverables

• Vault PKI integration: daemon requests certificate from Vault PKI mount
• Vault auth methods: AppRole, Kubernetes, AWS IAM, GCP IAM, Azure MSI
• Short-lived certificates: hours not months, automatic renewal
• Dynamic join tokens: Vault Transit engine generates single-use, time-limited join tokens
• Revocation via Vault: revoking cert in Vault propagates to Pilot CRL
• Setup guide: Vault PKI mount configuration, role definition, auth method setup

Files

• pkg/daemon/vault.go — Vault client, certificate request
• tests/ — Vault integration tests (mock Vault server)

Priority: HIGH

[TeoSlayer]

Context: Vault is the enterprise standard for secrets management. Using Vault as the CA means enterprises get all of Vault's audit, access control, and rotation capabilities applied to Pilot certificates. Dynamic join tokens via Vault's Transit engine are single-use and time-limited — a leaked token is worthless after first use or expiry.