mirror of https://github.com/status-im/consul.git
docs: Clarification of Vault Consul K8s requirements for Auth Method (#11929)
* docs: Clarification of Vault Consul K8s requirements * link back to requirements * Update gossip.mdx * Update index.mdx * add details for K8s auth method requirement * Update gossip.mdx * Update server-tls.mdx * Update connect-ca.mdx * Update gossip.mdx * Update server-tls.mdx * Update website/content/docs/k8s/installation/vault/gossip.mdx Co-authored-by: mrspanishviking <kcardenas@hashicorp.com> * Update website/content/docs/k8s/installation/vault/index.mdx Co-authored-by: mrspanishviking <kcardenas@hashicorp.com> * Update website/content/docs/k8s/installation/vault/index.mdx Co-authored-by: mrspanishviking <kcardenas@hashicorp.com> * Update website/content/docs/k8s/installation/vault/index.mdx Co-authored-by: mrspanishviking <kcardenas@hashicorp.com> * Update website/content/docs/k8s/installation/vault/server-tls.mdx Co-authored-by: mrspanishviking <kcardenas@hashicorp.com> * Update website/content/docs/k8s/installation/vault/index.mdx Co-authored-by: mrspanishviking <kcardenas@hashicorp.com> * Update website/content/docs/k8s/installation/vault/index.mdx Co-authored-by: mrspanishviking <kcardenas@hashicorp.com> * Update index.mdx * Update index.mdx Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
This commit is contained in:
parent
092436f927
commit
6bef2b2eb4
|
@ -11,6 +11,8 @@ description: >-
|
||||||
Consul allows using Kubernetes auth methods to configure Connect CA.
|
Consul allows using Kubernetes auth methods to configure Connect CA.
|
||||||
This allows for automatic token rotation once the renewal is no longer possible.
|
This allows for automatic token rotation once the renewal is no longer possible.
|
||||||
|
|
||||||
|
In order to create Vault auth roles for the Consul servers for this feature, ensure that the Vault Kubernetes auth method is enabled as described in [Vault Kubernetes Auth Method](/docs/k8s/installation/vault#vault-kubernetes-auth-method).
|
||||||
|
|
||||||
To configure [Vault as the provider](/docs/connect/ca/vault) for the Consul service certificates,
|
To configure [Vault as the provider](/docs/connect/ca/vault) for the Consul service certificates,
|
||||||
you will first need to decide on the type of policy that is suitable for you.
|
you will first need to decide on the type of policy that is suitable for you.
|
||||||
To see the permissions that Consul would need in Vault, please see [Vault ACL policies](/docs/connect/ca/vault#vault-acl-policies)
|
To see the permissions that Consul would need in Vault, please see [Vault ACL policies](/docs/connect/ca/vault#vault-acl-policies)
|
||||||
|
|
|
@ -34,11 +34,7 @@ path "secret/data/consul/gossip" {
|
||||||
vault policy write gossip-policy gossip-policy.hcl
|
vault policy write gossip-policy gossip-policy.hcl
|
||||||
```
|
```
|
||||||
|
|
||||||
Prior to creating auth roles for the Consul server and client, ensure that the Vault Kubernetes auth method is enabled:
|
Prior to creating Vault auth roles for the Consul servers and clients, ensure that the Vault Kubernetes auth method is enabled as described in [Vault Kubernetes Auth Method](/docs/k8s/installation/vault#vault-kubernetes-auth-method).
|
||||||
|
|
||||||
```shell-session
|
|
||||||
vault auth enable kubernetes
|
|
||||||
```
|
|
||||||
|
|
||||||
Next, we will create Kubernetes auth roles for the Consul server and client:
|
Next, we will create Kubernetes auth roles for the Consul server and client:
|
||||||
|
|
||||||
|
|
|
@ -25,12 +25,47 @@ At a high level, there are two points of integration with Vault:
|
||||||
1. `global.tls.enableAutoencrypt=true` is required if TLS is enabled for the Consul installation when using the Vault secrets backend.
|
1. `global.tls.enableAutoencrypt=true` is required if TLS is enabled for the Consul installation when using the Vault secrets backend.
|
||||||
1. The Vault installation must have been initialized, unsealed and the KV2 and PKI secrets engines enabled and the Kubernetes Auth Method enabled.
|
1. The Vault installation must have been initialized, unsealed and the KV2 and PKI secrets engines enabled and the Kubernetes Auth Method enabled.
|
||||||
|
|
||||||
|
### Vault Helm Config
|
||||||
|
|
||||||
A minimal valid installation of Vault must include the Agent Injector:
|
A minimal valid installation of Vault must include the Agent Injector:
|
||||||
```yaml
|
```yaml
|
||||||
injector:
|
injector:
|
||||||
enabled: "true"
|
enabled: "true"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Vault Kubernetes Auth Method
|
||||||
|
|
||||||
|
Prior to creating Vault auth roles for the Consul servers and clients, ensure that the Vault Kubernetes auth method is enabled:
|
||||||
|
|
||||||
|
```shell-session
|
||||||
|
$ vault auth enable kubernetes
|
||||||
|
```
|
||||||
|
|
||||||
|
After enabling the Kubernetes auth method, in Vault, ensure that you have configured the Kubernetes Auth method properly as described in [Kubernetes Auth Method Configuration](https://www.vaultproject.io/docs/auth/kubernetes#configuration). The command should look simliar to the following with a custom `kubernetes_host` config provided from the information provided via `kubectl cluster-info`.
|
||||||
|
|
||||||
|
```shell-session
|
||||||
|
$ vault write auth/kubernetes/config \
|
||||||
|
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
|
||||||
|
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
|
||||||
|
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
||||||
|
```
|
||||||
|
|
||||||
|
### Vault KV Secrets Engine - Version 2
|
||||||
|
|
||||||
|
In order to utlize Vault as a secrets backend, we must enable thne [Vault KV secrets engine - Version 2](https://www.vaultproject.io/docs/secrets/kv/kv-v2).
|
||||||
|
|
||||||
|
```shell-session
|
||||||
|
$ vault secrets enable -path=consul kv-v2
|
||||||
|
```
|
||||||
|
|
||||||
|
### Vault PKI Engine
|
||||||
|
|
||||||
|
The Vault PKI Engine must be enabled in order to leverage Vault for issuiing Consul Server TLS certificates. More details for configuring the PKI Engine is found in [Bootstrapping the PKI Engine](https://www.consul.io/docs/k8s/installation/vault/server-tls#bootstrapping-the-pki-engine) under the Server TLS section.
|
||||||
|
|
||||||
|
```shell-session
|
||||||
|
$ vault secrets enable pki
|
||||||
|
```
|
||||||
|
|
||||||
## Known Limitations
|
## Known Limitations
|
||||||
|
|
||||||
- TLS
|
- TLS
|
||||||
|
|
|
@ -100,11 +100,7 @@ export DATACENTER=dc1
|
||||||
echo allowed_domains=\"$DATACENTER.consul, $NAME-server, $NAME-server.$NAMESPACE, $NAME-server.$NAMESPACE.svc\"
|
echo allowed_domains=\"$DATACENTER.consul, $NAME-server, $NAME-server.$NAMESPACE, $NAME-server.$NAMESPACE.svc\"
|
||||||
```
|
```
|
||||||
|
|
||||||
Prior to creating the Kubernetes auth roles required for Consul to securely access Vault, ensure that the Vault Kubernetes Auth method is enabled:
|
Prior to creating Vault auth roles for the Consul server and the Consul components, ensure that the Vault Kubernetes auth method is enabled as described in [Vault Kubernetes Auth Method](/docs/k8s/installation/vault#vault-kubernetes-auth-method).
|
||||||
|
|
||||||
```shell-session
|
|
||||||
vault auth enable kubernetes
|
|
||||||
```
|
|
||||||
|
|
||||||
Finally, two Kubernetes auth roles need to be created, one for the Consul servers and one for the Consul components:
|
Finally, two Kubernetes auth roles need to be created, one for the Consul servers and one for the Consul components:
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue