From 126f77f40df3f788aa38747f79cd843a68152f65 Mon Sep 17 00:00:00 2001 From: David Yu Date: Tue, 27 Sep 2022 00:35:59 -0700 Subject: [PATCH] docs: update to Vault secrets backend for partition init service account and Helm values for injector (#14745) * docs: update to Vault secrets backend --- .../vault/data-integration/partition-token.mdx | 11 ++++++----- .../vault/systems-integration.mdx | 4 +++- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx index 88463e89e0..88b8d9785b 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx @@ -7,7 +7,7 @@ description: >- # Storing the ACL Partition Token in Vault -This topic describes how to configure the Consul Helm chart to use an ACL partition token stored in Vault. +This topic describes how to configure the Consul Helm chart to use an ACL partition token stored in Vault when using [Admin Partitions](/docs/enterprise/admin-partitions) in Consul Enterprise. ## Overview Complete the steps outlined in the [Data Integration](/docs/k8s/installation/vault/data-integration) section to use an ACL partition token stored in Vault. @@ -60,24 +60,24 @@ $ vault policy write partition-token-policy partition-token-policy.hcl Next, you will create Kubernetes auth roles for the Consul `server-acl-init` job: ```shell-session -$ vault write auth/kubernetes/role/consul-server-acl-init \ +$ vault write auth/kubernetes/role/consul-partition-init \ bound_service_account_names= \ bound_service_account_namespaces= \ policies=partition-token-policy \ ttl=1h ``` -To find out the service account name of the Consul server, +To find out the service account name of the `partition-init` job, you can run the following `helm template` command with your Consul on Kubernetes values file: ```shell-session -$ helm template --release-name ${RELEASE_NAME} -s templates/server-acl-init-serviceaccount.yaml hashicorp/consul +$ helm template --release-name ${RELEASE_NAME} -s templates/partition-init-serviceaccount.yaml hashicorp/consul ``` ## Update Consul on Kubernetes Helm chart Now that you have configured Vault, you can configure the Consul Helm chart to -use the ACL partition token key in Vault: +use the ACL partition token key in Vault and the service account for the Partitions role. @@ -87,6 +87,7 @@ global: vault: enabled: true manageSystemACLsRole: consul-server-acl-init + adminPartitionsRole: consul-partition-init acls: partitionToken: secretName: secret/data/consul/partition-token diff --git a/website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx b/website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx index b51cb5c583..9c5ac5c5ba 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx @@ -128,11 +128,13 @@ A minimal valid installation of Vault Kubernetes must include the Agent Injector ```shell-session $ cat <> vault-injector.yaml # vault-injector.yaml +global: + enabled: true + externalVaultAddr: ${VAULT_ADDR} server: enabled: false injector: enabled: true - externalVaultAddr: ${VAULT_ADDR} authPath: auth/${VAULT_AUTH_METHOD_NAME} EOF ```