update docs (#12543)

This commit is contained in:
Kyle Schochenmaier 2022-03-09 13:24:20 -06:00 committed by GitHub
parent 0e122479fa
commit d6792f14a3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 26 additions and 9 deletions

View File

@ -1366,9 +1366,26 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
as well as permission to mount the backend at this path if it is not already as well as permission to mount the backend at this path if it is not already
mounted. mounted.
#### Common CA Config Options - `auth_method` ((#vault_ca_auth_method))
Vault auth method to use for logging in to Vault.
Please see [Vault Auth Methods](https://www.vaultproject.io/docs/auth) for more information
on how to configure individual auth methods. If auth method is provided, Consul will obtain a
new token from Vault when the token can no longer be renewed.
There are also a number of common configuration options supported by all providers: - `type` The type of Vault auth method.
- `mount_path` The mount path of the auth method.
If not provided the auth method type will be used as the mount path.
- `params` The parameters to configure the auth method.
Please see [Vault Auth Methods](https://www.vaultproject.io/docs/auth) for information on how
to configure the auth method you wish to use. If using the Kubernetes auth method, Consul will
read the service account token from the default mount path `/var/run/secrets/kubernetes.io/serviceaccount/token`
if the `jwt` parameter is not provided.
#### Common CA Config Options
There are also a number of common configuration options supported by all providers:
- `csr_max_concurrent` ((#ca_csr_max_concurrent)) Sets a limit on the number - `csr_max_concurrent` ((#ca_csr_max_concurrent)) Sets a limit on the number
of Certificate Signing Requests that can be processed concurrently. Defaults of Certificate Signing Requests that can be processed concurrently. Defaults

View File

@ -99,7 +99,7 @@ The configuration options are listed below.
- `AuthMethod` / `auth_method` (`map: nil`) - Vault auth method to use for logging in to Vault. - `AuthMethod` / `auth_method` (`map: nil`) - Vault auth method to use for logging in to Vault.
Please see [Vault Auth Methods](https://www.vaultproject.io/docs/auth) for more information Please see [Vault Auth Methods](https://www.vaultproject.io/docs/auth) for more information
on how to configure individual auth methods. If auth method is provided, Consul will obtain a on how to configure individual auth methods. If auth method is provided, Consul will obtain
a new token from Vault when the token can no longer be renewed. a new token from Vault when the token can no longer be renewed.
- `Type`/ `type` (`string: ""`) - The type of Vault auth method. - `Type`/ `type` (`string: ""`) - The type of Vault auth method.
@ -122,9 +122,9 @@ The configuration options are listed below.
exist, Consul will mount a new PKI secrets engine at the specified path with the exist, Consul will mount a new PKI secrets engine at the specified path with the
`RootCertTTL` value as the root certificate's TTL. If the `RootCertTTL` is not set, `RootCertTTL` value as the root certificate's TTL. If the `RootCertTTL` is not set,
a [`max_lease_ttl`](https://www.vaultproject.io/api/system/mounts#max_lease_ttl) a [`max_lease_ttl`](https://www.vaultproject.io/api/system/mounts#max_lease_ttl)
of 87600 hours, or 10 years is applied by default as of Consul 1.11 and later. Prior to Consul 1.11, of 87600 hours, or 10 years is applied by default as of Consul 1.11 and later. Prior to Consul 1.11,
the root certificate TTL was set to 8760 hour, or 1 year, and was not configurable. the root certificate TTL was set to 8760 hour, or 1 year, and was not configurable.
The root certificate will expire at the end of the specified period. The root certificate will expire at the end of the specified period.
When WAN Federation is enabled, each secondary datacenter must use the same Vault cluster and share the same `root_pki_path` When WAN Federation is enabled, each secondary datacenter must use the same Vault cluster and share the same `root_pki_path`
with the primary datacenter. with the primary datacenter.
@ -140,10 +140,10 @@ The configuration options are listed below.
The path to a PKI secrets engine for the generated intermediate certificate. The path to a PKI secrets engine for the generated intermediate certificate.
This certificate will be signed by the configured root PKI path. If this This certificate will be signed by the configured root PKI path. If this
path does not exist, Consul will attempt to mount and configure this path does not exist, Consul will attempt to mount and configure this
automatically. automatically.
When WAN Federation is enabled, every secondary When WAN Federation is enabled, every secondary
datacenter must specify a unique `intermediate_pki_path`. datacenter must specify a unique `intermediate_pki_path`.
- `CAFile` / `ca_file` (`string: ""`) - Specifies an optional path to the CA - `CAFile` / `ca_file` (`string: ""`) - Specifies an optional path to the CA
certificate used for Vault communication. If unspecified, this will fallback certificate used for Vault communication. If unspecified, this will fallback