From 196d5fdeb75e11e0af8feac55da675fdc4451f70 Mon Sep 17 00:00:00 2001
From: vanphan24 <89482663+vanphan24@users.noreply.github.com>
Date: Wed, 12 Jan 2022 08:46:55 -0800
Subject: [PATCH 1/7] Update server-tls.mdx

Added k8s auth role for client
Added to Consul yaml file: tls.enableAutoEncrypt: true
Fixed name of CA policy: policies=ca-policy
---
 .../k8s/installation/vault/server-tls.mdx     | 25 +++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/website/content/docs/k8s/installation/vault/server-tls.mdx b/website/content/docs/k8s/installation/vault/server-tls.mdx
index 612d9997e9..485cae0af9 100644
--- a/website/content/docs/k8s/installation/vault/server-tls.mdx
+++ b/website/content/docs/k8s/installation/vault/server-tls.mdx
@@ -102,8 +102,9 @@ echo allowed_domains=\"$DATACENTER.consul, $NAME-server, $NAME-server.$NAMESPACE
 
 Prior to creating Vault auth roles for the Consul server and the Consul components, ensure that the Vault Kubernetes auth method is enabled as described in [Vault Kubernetes Auth Method](/docs/k8s/installation/vault#vault-kubernetes-auth-method).
 
-Finally, two Kubernetes auth roles need to be created, one for the Consul servers and one for the Consul components:
+Finally, three Kubernetes auth roles need to be created, one for the Consul servers, one for the Consul clients, and one for the Consul components.
 
+Role for Consul servers:
 ```shell-session
 vault write auth/kubernetes/role/consul-server \
     bound_service_account_names=<Consul server service account> \
@@ -121,11 +122,30 @@ you can run:
 -> **Note:** Should you enable other supported features such as gossip-encryption be sure to append additional policies to
 the Kube auth role in a comma separated value e.g.  `policies=consul-server,consul-gossip`
 
+Role for Consul clients:
+```shell-session
+vault write auth/kubernetes/role/consul-client \
+    bound_service_account_names=<Consul client service account>  \
+    bound_service_account_namespaces=default \
+    policies=ca-policy \
+    ttl=1h
+```
+
+To find out the service account name of the Consul client
+you can run:
+```shell-session
+ helm template --release-name <your release name> -s templates/client-serviceaccount.yaml hashicorp/consul
+```
+
+-> **Note:** Should you enable other supported features such as gossip-encryption be sure to append additional policies to
+the Kube auth role in a comma separated value e.g.  `policies=ca-policy,consul-gossip`
+
+Role for CA components:
 ```shell-session
 vault write auth/kubernetes/role/consul-ca \
     bound_service_account_names="*" \
     bound_service_account_namespaces=<Consul installation namespace> \
-    policies=consul-ca \
+    policies=ca-policy \
     ttl=1h
 ```
 
@@ -147,6 +167,7 @@ global:
       consulClientRole: consul-client
       consulCARole: consul-ca
   tls:
+    enableAutoEncrypt: true
     enabled: true
     caCert:
       secretName: "pki/cert/ca"

From 4dd43498976e4bbcdc8a9df47dab42455aa4e735 Mon Sep 17 00:00:00 2001
From: vanphan24 <89482663+vanphan24@users.noreply.github.com>
Date: Wed, 12 Jan 2022 08:56:33 -0800
Subject: [PATCH 2/7] Update
 website/content/docs/k8s/installation/vault/server-tls.mdx

Co-authored-by: mrspanishviking <cardenas88karl@gmail.com>
---
 website/content/docs/k8s/installation/vault/server-tls.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/website/content/docs/k8s/installation/vault/server-tls.mdx b/website/content/docs/k8s/installation/vault/server-tls.mdx
index 485cae0af9..16e4edc794 100644
--- a/website/content/docs/k8s/installation/vault/server-tls.mdx
+++ b/website/content/docs/k8s/installation/vault/server-tls.mdx
@@ -106,7 +106,7 @@ Finally, three Kubernetes auth roles need to be created, one for the Consul serv
 
 Role for Consul servers:
 ```shell-session
-vault write auth/kubernetes/role/consul-server \
+$ vault write auth/kubernetes/role/consul-server \
     bound_service_account_names=<Consul server service account> \
     bound_service_account_namespaces=<Consul installation namespace> \
     policies=consul-server \

From 3e65685dbdfacf15735b8e021fdab33f75014ccf Mon Sep 17 00:00:00 2001
From: vanphan24 <89482663+vanphan24@users.noreply.github.com>
Date: Wed, 12 Jan 2022 08:56:53 -0800
Subject: [PATCH 3/7] Update
 website/content/docs/k8s/installation/vault/server-tls.mdx

Co-authored-by: mrspanishviking <cardenas88karl@gmail.com>
---
 website/content/docs/k8s/installation/vault/server-tls.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/website/content/docs/k8s/installation/vault/server-tls.mdx b/website/content/docs/k8s/installation/vault/server-tls.mdx
index 16e4edc794..e525ffebb2 100644
--- a/website/content/docs/k8s/installation/vault/server-tls.mdx
+++ b/website/content/docs/k8s/installation/vault/server-tls.mdx
@@ -124,7 +124,7 @@ the Kube auth role in a comma separated value e.g.  `policies=consul-server,cons
 
 Role for Consul clients:
 ```shell-session
-vault write auth/kubernetes/role/consul-client \
+$ vault write auth/kubernetes/role/consul-client \
     bound_service_account_names=<Consul client service account>  \
     bound_service_account_namespaces=default \
     policies=ca-policy \

From f1c872604f001c3571b2622227e11b0be600acf8 Mon Sep 17 00:00:00 2001
From: vanphan24 <89482663+vanphan24@users.noreply.github.com>
Date: Wed, 12 Jan 2022 08:56:58 -0800
Subject: [PATCH 4/7] Update
 website/content/docs/k8s/installation/vault/server-tls.mdx

Co-authored-by: mrspanishviking <cardenas88karl@gmail.com>
---
 website/content/docs/k8s/installation/vault/server-tls.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/website/content/docs/k8s/installation/vault/server-tls.mdx b/website/content/docs/k8s/installation/vault/server-tls.mdx
index e525ffebb2..5c58097b10 100644
--- a/website/content/docs/k8s/installation/vault/server-tls.mdx
+++ b/website/content/docs/k8s/installation/vault/server-tls.mdx
@@ -134,7 +134,7 @@ $ vault write auth/kubernetes/role/consul-client \
 To find out the service account name of the Consul client
 you can run:
 ```shell-session
- helm template --release-name <your release name> -s templates/client-serviceaccount.yaml hashicorp/consul
+ $ helm template --release-name <your release name> -s templates/client-serviceaccount.yaml hashicorp/consul
 ```
 
 -> **Note:** Should you enable other supported features such as gossip-encryption be sure to append additional policies to

From 6e2c0a3f00a226c21f589be0f89d43df2333fe9c Mon Sep 17 00:00:00 2001
From: vanphan24 <89482663+vanphan24@users.noreply.github.com>
Date: Wed, 12 Jan 2022 08:57:02 -0800
Subject: [PATCH 5/7] Update
 website/content/docs/k8s/installation/vault/server-tls.mdx

Co-authored-by: mrspanishviking <cardenas88karl@gmail.com>
---
 website/content/docs/k8s/installation/vault/server-tls.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/website/content/docs/k8s/installation/vault/server-tls.mdx b/website/content/docs/k8s/installation/vault/server-tls.mdx
index 5c58097b10..10e5c4c58c 100644
--- a/website/content/docs/k8s/installation/vault/server-tls.mdx
+++ b/website/content/docs/k8s/installation/vault/server-tls.mdx
@@ -142,7 +142,7 @@ the Kube auth role in a comma separated value e.g.  `policies=ca-policy,consul-g
 
 Role for CA components:
 ```shell-session
-vault write auth/kubernetes/role/consul-ca \
+$ vault write auth/kubernetes/role/consul-ca \
     bound_service_account_names="*" \
     bound_service_account_namespaces=<Consul installation namespace> \
     policies=ca-policy \

From f4c5c2cf16aa23123c44b707e88c3938a8807142 Mon Sep 17 00:00:00 2001
From: vanphan24 <89482663+vanphan24@users.noreply.github.com>
Date: Wed, 12 Jan 2022 08:57:09 -0800
Subject: [PATCH 6/7] Update
 website/content/docs/k8s/installation/vault/server-tls.mdx

Co-authored-by: mrspanishviking <cardenas88karl@gmail.com>
---
 website/content/docs/k8s/installation/vault/server-tls.mdx | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/website/content/docs/k8s/installation/vault/server-tls.mdx b/website/content/docs/k8s/installation/vault/server-tls.mdx
index 10e5c4c58c..d4c6cb3cd4 100644
--- a/website/content/docs/k8s/installation/vault/server-tls.mdx
+++ b/website/content/docs/k8s/installation/vault/server-tls.mdx
@@ -131,8 +131,7 @@ $ vault write auth/kubernetes/role/consul-client \
     ttl=1h
 ```
 
-To find out the service account name of the Consul client
-you can run:
+To find out the service account name of the Consul client, use the command below.
 ```shell-session
  $ helm template --release-name <your release name> -s templates/client-serviceaccount.yaml hashicorp/consul
 ```

From e765343983d041145660c74e6a73686480e1fa06 Mon Sep 17 00:00:00 2001
From: vanphan24 <89482663+vanphan24@users.noreply.github.com>
Date: Wed, 12 Jan 2022 08:57:14 -0800
Subject: [PATCH 7/7] Update
 website/content/docs/k8s/installation/vault/server-tls.mdx

Co-authored-by: mrspanishviking <cardenas88karl@gmail.com>
---
 website/content/docs/k8s/installation/vault/server-tls.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/website/content/docs/k8s/installation/vault/server-tls.mdx b/website/content/docs/k8s/installation/vault/server-tls.mdx
index d4c6cb3cd4..4669556bb3 100644
--- a/website/content/docs/k8s/installation/vault/server-tls.mdx
+++ b/website/content/docs/k8s/installation/vault/server-tls.mdx
@@ -136,7 +136,7 @@ To find out the service account name of the Consul client, use the command below
  $ helm template --release-name <your release name> -s templates/client-serviceaccount.yaml hashicorp/consul
 ```
 
--> **Note:** Should you enable other supported features such as gossip-encryption be sure to append additional policies to
+-> **Note:** Should you enable other supported features such as gossip-encryption, ensure you append additional policies to
 the Kube auth role in a comma separated value e.g.  `policies=ca-policy,consul-gossip`
 
 Role for CA components: