From 196d5fdeb75e11e0af8feac55da675fdc4451f70 Mon Sep 17 00:00:00 2001 From: vanphan24 <89482663+vanphan24@users.noreply.github.com> Date: Wed, 12 Jan 2022 08:46:55 -0800 Subject: [PATCH] Update server-tls.mdx Added k8s auth role for client Added to Consul yaml file: tls.enableAutoEncrypt: true Fixed name of CA policy: policies=ca-policy --- .../k8s/installation/vault/server-tls.mdx | 25 +++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/website/content/docs/k8s/installation/vault/server-tls.mdx b/website/content/docs/k8s/installation/vault/server-tls.mdx index 612d9997e9..485cae0af9 100644 --- a/website/content/docs/k8s/installation/vault/server-tls.mdx +++ b/website/content/docs/k8s/installation/vault/server-tls.mdx @@ -102,8 +102,9 @@ echo allowed_domains=\"$DATACENTER.consul, $NAME-server, $NAME-server.$NAMESPACE Prior to creating Vault auth roles for the Consul server and the Consul components, ensure that the Vault Kubernetes auth method is enabled as described in [Vault Kubernetes Auth Method](/docs/k8s/installation/vault#vault-kubernetes-auth-method). -Finally, two Kubernetes auth roles need to be created, one for the Consul servers and one for the Consul components: +Finally, three Kubernetes auth roles need to be created, one for the Consul servers, one for the Consul clients, and one for the Consul components. +Role for Consul servers: ```shell-session vault write auth/kubernetes/role/consul-server \ bound_service_account_names= \ @@ -121,11 +122,30 @@ you can run: -> **Note:** Should you enable other supported features such as gossip-encryption be sure to append additional policies to the Kube auth role in a comma separated value e.g. `policies=consul-server,consul-gossip` +Role for Consul clients: +```shell-session +vault write auth/kubernetes/role/consul-client \ + bound_service_account_names= \ + bound_service_account_namespaces=default \ + policies=ca-policy \ + ttl=1h +``` + +To find out the service account name of the Consul client +you can run: +```shell-session + helm template --release-name -s templates/client-serviceaccount.yaml hashicorp/consul +``` + +-> **Note:** Should you enable other supported features such as gossip-encryption be sure to append additional policies to +the Kube auth role in a comma separated value e.g. `policies=ca-policy,consul-gossip` + +Role for CA components: ```shell-session vault write auth/kubernetes/role/consul-ca \ bound_service_account_names="*" \ bound_service_account_namespaces= \ - policies=consul-ca \ + policies=ca-policy \ ttl=1h ``` @@ -147,6 +167,7 @@ global: consulClientRole: consul-client consulCARole: consul-ca tls: + enableAutoEncrypt: true enabled: true caCert: secretName: "pki/cert/ca"