status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #12044 from vanphan24/patch-3 

Update server-tls.mdx
This commit is contained in:
mrspanishviking 2022-01-12 10:09:15 -07:00 committed by GitHub
parent ea0df29afb e765343983
commit 4b730392d6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 24 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
website/content/docs/k8s/installation/vault/server-tls.mdx
View File

@ -102,10 +102,11 @@ echo allowed_domains=\"$DATACENTER.consul, $NAME-server, $NAME-server.$NAMESPACE
Prior to creating Vault auth roles for the Consul server and the Consul components, ensure that the Vault Kubernetes auth method is enabled as described in [Vault Kubernetes Auth Method](/docs/k8s/installation/vault#vault-kubernetes-auth-method). Prior to creating Vault auth roles for the Consul server and the Consul components, ensure that the Vault Kubernetes auth method is enabled as described in [Vault Kubernetes Auth Method](/docs/k8s/installation/vault#vault-kubernetes-auth-method).
Finally, two Kubernetes auth roles need to be created, one for the Consul servers and one for the Consul components: Finally, three Kubernetes auth roles need to be created, one for the Consul servers, one for the Consul clients, and one for the Consul components.
Role for Consul servers:
```shell-session ```shell-session
vault write auth/kubernetes/role/consul-server \ $ vault write auth/kubernetes/role/consul-server \
bound_service_account_names=<Consul server service account> \ bound_service_account_names=<Consul server service account> \
bound_service_account_namespaces=<Consul installation namespace> \ bound_service_account_namespaces=<Consul installation namespace> \
policies=consul-server \ policies=consul-server \
@ -121,11 +122,29 @@ you can run:
-> **Note:** Should you enable other supported features such as gossip-encryption be sure to append additional policies to -> **Note:** Should you enable other supported features such as gossip-encryption be sure to append additional policies to
the Kube auth role in a comma separated value e.g. `policies=consul-server,consul-gossip` the Kube auth role in a comma separated value e.g. `policies=consul-server,consul-gossip`
Role for Consul clients:
```shell-session ```shell-session
vault write auth/kubernetes/role/consul-ca \ $ vault write auth/kubernetes/role/consul-client \
bound_service_account_names=<Consul client service account> \
bound_service_account_namespaces=default \
policies=ca-policy \
ttl=1h
```
To find out the service account name of the Consul client, use the command below.
```shell-session
$ helm template --release-name <your release name> -s templates/client-serviceaccount.yaml hashicorp/consul
```
-> **Note:** Should you enable other supported features such as gossip-encryption, ensure you append additional policies to
the Kube auth role in a comma separated value e.g. `policies=ca-policy,consul-gossip`
Role for CA components:
```shell-session
$ vault write auth/kubernetes/role/consul-ca \
bound_service_account_names="*" \ bound_service_account_names="*" \
bound_service_account_namespaces=<Consul installation namespace> \ bound_service_account_namespaces=<Consul installation namespace> \
policies=consul-ca \ policies=ca-policy \
ttl=1h ttl=1h
``` ```
@ -147,6 +166,7 @@ global:
consulClientRole: consul-client consulClientRole: consul-client
consulCARole: consul-ca consulCARole: consul-ca
tls: tls:
enableAutoEncrypt: true
enabled: true enabled: true
caCert: caCert:
secretName: "pki/cert/ca" secretName: "pki/cert/ca"