Adding documentation to store Enterprise License in Vault (#12375)

* Adding documentation to store Enterprise License in Vault

* Update website/content/docs/k8s/installation/vault/enterprise-license.mdx

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>

* Update website/content/docs/k8s/installation/vault/enterprise-license.mdx

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>

* Update website/content/docs/k8s/installation/vault/enterprise-license.mdx

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>

* Update website/content/docs/k8s/installation/vault/enterprise-license.mdx

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>

* Update website/content/docs/k8s/installation/vault/enterprise-license.mdx

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>

* Update website/content/docs/k8s/installation/vault/enterprise-license.mdx

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>

* Referencing Storing the Enterprise License in Vault from the Consul Enterprise installation instructions.

* Added missing words about stroing in Vault

* Update website/content/docs/k8s/installation/vault/enterprise-license.mdx

Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com>

* Clarifying that enterprise code block is just changes on top of your normal config.

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com>
This commit is contained in:
John Murret 2022-02-23 14:20:45 -07:00 committed by GitHub
parent f956e66207
commit b52aaf153a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 106 additions and 1 deletions

View File

@ -10,6 +10,8 @@ You can use this Helm chart to deploy Consul Enterprise by following a few extra
Find the license file that you received in your welcome email. It should have a `.hclic` extension. You will use the contents of this file to create a Kubernetes secret before installing the Helm chart. Find the license file that you received in your welcome email. It should have a `.hclic` extension. You will use the contents of this file to create a Kubernetes secret before installing the Helm chart.
-> **Note:** This guide assumes you are storing your license as a Kubernetes Secret. If you would like to store the enterprise license in Vault, please reference [Storing the Enterprise License in Vault](/docs/k8s/installation/vault/enterprise-license).
You can use the following commands to create the secret with name `consul-ent-license` and key `key`: You can use the following commands to create the secret with name `consul-ent-license` and key `key`:
```bash ```bash
@ -46,6 +48,7 @@ server:
</CodeBlockConfig> </CodeBlockConfig>
If the version of Consul is < 1.10, use the following config with the name and key of the secret you just created. If the version of Consul is < 1.10, use the following config with the name and key of the secret you just created.
(These values arerequired on top ofyour normal configuration.)
-> **Note:** The value of `server.enterpriseLicense.enableLicenseAutoload` must be set to `false`. -> **Note:** The value of `server.enterpriseLicense.enableLicenseAutoload` must be set to `false`.

View File

@ -0,0 +1,98 @@
---
layout: docs
page_title: Storing Enterprise License in Vault
description: >-
Configuring the Consul Helm chart to use enterprise license stored in Vault.
---
# Storing the Enterprise License in Vault
To use an enterprise license stored in Vault, the steps will be similar to [Storing Gossip Encryption Key in Vault](/docs/k8s/installation/vault/gossip). You need to do the following:
1. Store an enterprise license key in Vault's KV2 secrets engine.
1. Create Vault Policies that allow read access to the key.
1. Create a Vault Kubernetes Auth Role that links policies from step 2 to the Kubernetes service accounts of the Consul servers and clients.
## Configuring Vault
First, store the license key in Vault:
```shell-session
$ vault kv put secret/consul/enterpriselicense key="<enterprise license>"
```
Next, you will need to create a policy that allows read access to this secret:
<CodeBlockConfig filename="enterpriselicense-policy.hcl">
```HCL
path "secret/data/consul/enterpriselicense" {
capabilities = ["read"]
}
```
</CodeBlockConfig>
```shell-session
$ vault policy write enterpriselicense-policy enterpriselicense-policy.hcl
```
Prior to creating Vault auth roles for the Consul servers and clients, ensure that the Vault Kubernetes auth method is enabled as described in [Vault Kubernetes Auth Method](/docs/k8s/installation/vault#vault-kubernetes-auth-method).
Next, you will create Kubernetes auth roles for the Consul server and client:
```shell-session
$ vault write auth/kubernetes/role/consul-server \
bound_service_account_names=<Consul server service account> \
bound_service_account_namespaces=<Consul installation namespace> \
policies=enterpriselicense-policy \
ttl=1h
```
```shell-session
$ vault write auth/kubernetes/role/consul-client \
bound_service_account_names=<Consul client service account> \
bound_service_account_namespaces=<Consul installation namespace> \
policies=enterpriselicense-policy \
ttl=1h
```
To find out the service account names of the Consul server and client,
you can run the following `helm template` commands with your Consul on Kubernetes values file:
- Generate Consul server service account name
```shell-session
$ helm template --release-name ${RELEASE_NAME} -s templates/server-serviceaccount.yaml hashicorp/consul
```
- Generate Consul client service account name
```shell-session
$ helm template --release-name ${RELEASE_NAME} -s templates/client-serviceaccount.yaml hashicorp/consul
```
## Deploying the Consul Helm chart
Now that you have configured Vault, you can configure the Consul Helm chart to
use the enterprise license key in Vault:
<CodeBlockConfig filename="values.yaml">
```yaml
global:
secretsBackend:
vault:
enabled: true
consulServerRole: consul-server
consulClientRole: consul-client
enterpriseLicense:
secretName: secret/data/consul/enterpriselicense
secretKey: key
```
</CodeBlockConfig>
Note that `global.enterpriseLicense.secretName` is the path of the secret in Vault.
This should be the same path as the one you included in your Vault policy.
`global.enterpriseLicense.secretKey` is the key inside the secret data. This should be the same
as the key you passed when creating the enterprise license secret in Vault.

View File

@ -478,6 +478,10 @@
"title": "Gossip Encryption Key", "title": "Gossip Encryption Key",
"path": "k8s/installation/vault/gossip" "path": "k8s/installation/vault/gossip"
}, },
{
"title": "Enterprise License",
"path": "k8s/installation/vault/enterprise-license"
},
{ {
"title": "Server TLS", "title": "Server TLS",
"path": "k8s/installation/vault/server-tls" "path": "k8s/installation/vault/server-tls"