diff --git a/website/content/docs/k8s/installation/deployment-configurations/consul-enterprise.mdx b/website/content/docs/k8s/installation/deployment-configurations/consul-enterprise.mdx index 201257249f..f27bf3baf4 100644 --- a/website/content/docs/k8s/installation/deployment-configurations/consul-enterprise.mdx +++ b/website/content/docs/k8s/installation/deployment-configurations/consul-enterprise.mdx @@ -10,6 +10,8 @@ You can use this Helm chart to deploy Consul Enterprise by following a few extra Find the license file that you received in your welcome email. It should have a `.hclic` extension. You will use the contents of this file to create a Kubernetes secret before installing the Helm chart. +-> **Note:** This guide assumes you are storing your license as a Kubernetes Secret. If you would like to store the enterprise license in Vault, please reference [Storing the Enterprise License in Vault](/docs/k8s/installation/vault/enterprise-license). + You can use the following commands to create the secret with name `consul-ent-license` and key `key`: ```bash @@ -45,7 +47,8 @@ server: -If the version of Consul is < 1.10, use the following config with the name and key of the secret you just created. +If the version of Consul is < 1.10, use the following config with the name and key of the secret you just created. +(These values arerequired on top ofyour normal configuration.) -> **Note:** The value of `server.enterpriseLicense.enableLicenseAutoload` must be set to `false`. diff --git a/website/content/docs/k8s/installation/vault/enterprise-license.mdx b/website/content/docs/k8s/installation/vault/enterprise-license.mdx new file mode 100644 index 0000000000..8cdd9f2336 --- /dev/null +++ b/website/content/docs/k8s/installation/vault/enterprise-license.mdx @@ -0,0 +1,98 @@ +--- +layout: docs +page_title: Storing Enterprise License in Vault +description: >- + Configuring the Consul Helm chart to use enterprise license stored in Vault. +--- + +# Storing the Enterprise License in Vault + +To use an enterprise license stored in Vault, the steps will be similar to [Storing Gossip Encryption Key in Vault](/docs/k8s/installation/vault/gossip). You need to do the following: + +1. Store an enterprise license key in Vault's KV2 secrets engine. +1. Create Vault Policies that allow read access to the key. +1. Create a Vault Kubernetes Auth Role that links policies from step 2 to the Kubernetes service accounts of the Consul servers and clients. + +## Configuring Vault + +First, store the license key in Vault: + +```shell-session +$ vault kv put secret/consul/enterpriselicense key="" +``` + +Next, you will need to create a policy that allows read access to this secret: + + + + +```HCL +path "secret/data/consul/enterpriselicense" { + capabilities = ["read"] +} +``` + + + +```shell-session +$ vault policy write enterpriselicense-policy enterpriselicense-policy.hcl +``` + +Prior to creating Vault auth roles for the Consul servers and clients, ensure that the Vault Kubernetes auth method is enabled as described in [Vault Kubernetes Auth Method](/docs/k8s/installation/vault#vault-kubernetes-auth-method). + +Next, you will create Kubernetes auth roles for the Consul server and client: + +```shell-session +$ vault write auth/kubernetes/role/consul-server \ + bound_service_account_names= \ + bound_service_account_namespaces= \ + policies=enterpriselicense-policy \ + ttl=1h +``` + +```shell-session +$ vault write auth/kubernetes/role/consul-client \ + bound_service_account_names= \ + bound_service_account_namespaces= \ + policies=enterpriselicense-policy \ + ttl=1h +``` + +To find out the service account names of the Consul server and client, +you can run the following `helm template` commands with your Consul on Kubernetes values file: + +- Generate Consul server service account name + ```shell-session + $ helm template --release-name ${RELEASE_NAME} -s templates/server-serviceaccount.yaml hashicorp/consul + ``` + +- Generate Consul client service account name + ```shell-session + $ helm template --release-name ${RELEASE_NAME} -s templates/client-serviceaccount.yaml hashicorp/consul + ``` + +## Deploying the Consul Helm chart + +Now that you have configured Vault, you can configure the Consul Helm chart to +use the enterprise license key in Vault: + + + +```yaml +global: + secretsBackend: + vault: + enabled: true + consulServerRole: consul-server + consulClientRole: consul-client + enterpriseLicense: + secretName: secret/data/consul/enterpriselicense + secretKey: key +``` + + + +Note that `global.enterpriseLicense.secretName` is the path of the secret in Vault. +This should be the same path as the one you included in your Vault policy. +`global.enterpriseLicense.secretKey` is the key inside the secret data. This should be the same +as the key you passed when creating the enterprise license secret in Vault. diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index 2f8e251a3a..07e9782ba8 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -478,6 +478,10 @@ "title": "Gossip Encryption Key", "path": "k8s/installation/vault/gossip" }, + { + "title": "Enterprise License", + "path": "k8s/installation/vault/enterprise-license" + }, { "title": "Server TLS", "path": "k8s/installation/vault/server-tls"