mirror of
https://github.com/status-im/consul.git
synced 2025-02-17 08:07:35 +00:00
fd08b6aaf6
* Updating k8s Vault as a Secrets Backend docs * Moving files in data-integration folder * Updating routes to moved files * Removing known limitations since we have delivered them. * Revise overview page to point towards the System Integration and Data Integration pages. * Updating Systems Overview page * Making corrections to Overview and Systems Integration page * Updating Data Integration page * Gossip page * Enterprise Licensepage * Bootstrap Token * Replication Token * Revisions to bootrap, replication, and enterprise license * snapshot agent page. revisiions to other data integration pages * Consul Service Mesh TLS Provider page * ServerTLS page * Spelling, grammar errors * Update website/content/docs/k8s/installation/vault/index.mdx Co-authored-by: David Yu <dyu@hashicorp.com> * Update website/content/docs/k8s/installation/vault/systems-integration.mdx Co-authored-by: David Yu <dyu@hashicorp.com> * Update website/content/docs/k8s/installation/vault/systems-integration.mdx Co-authored-by: David Yu <dyu@hashicorp.com> * Update website/content/docs/k8s/installation/vault/systems-integration.mdx Co-authored-by: David Yu <dyu@hashicorp.com> * Update website/content/docs/k8s/installation/vault/systems-integration.mdx Co-authored-by: David Yu <dyu@hashicorp.com> * Update website/content/docs/k8s/installation/vault/data-integration/index.mdx Co-authored-by: David Yu <dyu@hashicorp.com> * Update website/content/docs/k8s/installation/vault/data-integration/server-tls.mdx Co-authored-by: David Yu <dyu@hashicorp.com> * Update website/content/docs/k8s/installation/vault/data-integration/connect-ca.mdx Co-authored-by: David Yu <dyu@hashicorp.com> * Update website/content/docs/k8s/installation/vault/data-integration/gossip.mdx Co-authored-by: David Yu <dyu@hashicorp.com> * Update website/content/docs/k8s/installation/vault/data-integration/snapshot-agent-config.mdx Co-authored-by: David Yu <dyu@hashicorp.com> * Update website/content/docs/k8s/installation/vault/data-integration/bootstrap-token.mdx Co-authored-by: David Yu <dyu@hashicorp.com> * Update website/content/docs/k8s/installation/vault/data-integration/connect-ca.mdx Co-authored-by: David Yu <dyu@hashicorp.com> * Update website/content/docs/k8s/installation/vault/data-integration/enterprise-license.mdx Co-authored-by: David Yu <dyu@hashicorp.com> * Update website/content/docs/k8s/installation/vault/data-integration/replication-token.mdx Co-authored-by: David Yu <dyu@hashicorp.com> * Update website/content/docs/k8s/installation/vault/data-integration/replication-token.mdx Co-authored-by: David Yu <dyu@hashicorp.com> * Updating data center to datacenter * Update website/content/docs/k8s/installation/vault/systems-integration.mdx Co-authored-by: David Yu <dyu@hashicorp.com> * Update website/content/docs/k8s/installation/vault/systems-integration.mdx Co-authored-by: David Yu <dyu@hashicorp.com> * interim changes * more formatting changes * adding additional formatting changes * more formatting on systems integration page * remove TODO * Update website/content/docs/k8s/installation/vault/systems-integration.mdx Co-authored-by: David Yu <dyu@hashicorp.com> * Update website/content/docs/k8s/installation/vault/index.mdx Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Update website/content/docs/k8s/installation/vault/index.mdx Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Update website/content/docs/k8s/installation/vault/systems-integration.mdx Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Update website/content/docs/k8s/installation/vault/systems-integration.mdx Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Update website/content/docs/k8s/installation/vault/systems-integration.mdx Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Update website/content/docs/k8s/installation/vault/systems-integration.mdx Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Update website/content/docs/k8s/installation/vault/systems-integration.mdx Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Update website/content/docs/k8s/installation/vault/systems-integration.mdx Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Update website/content/docs/k8s/installation/vault/systems-integration.mdx Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Update website/content/docs/k8s/installation/vault/systems-integration.mdx Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Update website/content/docs/k8s/installation/vault/systems-integration.mdx Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Update website/content/docs/k8s/installation/vault/systems-integration.mdx Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Adding partition token * removing dangling word * Adding missing navlink for partitions page * Adding VAULT_TOKEN documentation and a note to VAULT_ADDR about https and the possible need for the VAULT_CACERT. * Fixing broken links and ordering lists * Fixing broken links. Changing pre-requisites to prerequisites. Co-authored-by: David Yu <dyu@hashicorp.com> Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
55 lines
2.8 KiB
Plaintext
55 lines
2.8 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Vault as the Secrets Backend Overview
|
|
description: >-
|
|
Using Vault as the secrets backend for Consul on Kubernetes.
|
|
---
|
|
|
|
# Vault as the Secrets Backend Overview
|
|
|
|
By default, Consul Helm chart will expect that any credentials it needs are stored as Kubernetes secrets.
|
|
As of Consul 1.11 and Consul Helm chart v0.38.0, we integrate more natively with Vault making it easier
|
|
to use Consul Helm chart with Vault as the secrets storage backend.
|
|
|
|
## Secrets Overview
|
|
|
|
By default, Consul on Kubernetes leverages Kubernetes secrets which are base64 encoded and unencrypted. In addition, the following limitations exist with mangaging sensitive data within Kubernetes secrets:
|
|
|
|
- There are no lease or time-to-live properties associated with these secrets.
|
|
- Kubernetes can only manage resources, such as secrets, within a cluster boundary. If you have sets of clusters, the resources across them need to be managed separately.
|
|
|
|
By leveraging Vault as a secrets backend for Consul on Kubernetes, you can now manage and store Consul related secrets within a centralized Vault cluster to use across one or many Consul on Kubernetes datacenters.
|
|
|
|
### Secrets stored in the Vault KV Secrets Engine
|
|
|
|
The following secrets can be stored in Vault KV secrets engine, which is meant to handle arbitrary secrets:
|
|
- ACL Bootstrap token
|
|
- ACL Partition token
|
|
- ACL Replication token
|
|
- Enterprise license
|
|
- Gossip encryption key
|
|
- Snapshot Agent config
|
|
|
|
|
|
### Secrets generated and managed by the Vault PKI Engine
|
|
|
|
The following TLS certificates and keys can be generated and managed by the Vault PKI Engine, which is meant to handle things like certificate expiration and rotation:
|
|
- Server TLS credentials
|
|
- Service Mesh and Consul client TLS credentials
|
|
|
|
## Requirements
|
|
|
|
1. Vault 1.9+ and Vault-k8s 0.14+ is required.
|
|
1. Vault must be installed and accessible to the Consul on Kubernetes installation.
|
|
1. `global.tls.enableAutoencrypt=true` is required if TLS is enabled for the Consul installation when using the Vault secrets backend.
|
|
1. The Vault installation must have been initialized, unsealed and the KV2 and PKI secrets engines and the Kubernetes Auth Method enabled.
|
|
## Next Steps
|
|
|
|
The Vault integration with Consul on Kubernetes has two aspects or phases:
|
|
- [Systems Integration](/docs/k8s/installation/vault/systems-integration) - Configure Vault and Consul on Kubernetes systems to leverage Vault as the secrets store.
|
|
- [Data Integration](/docs/k8s/installation/vault/data-integration) - Configure specific secrets to be stored and
|
|
retrieved from Vault for use with Consul on Kubernetes.
|
|
|
|
As a next step, please proceed to [Systems Integration](/docs/k8s/installation/vault/systems-integration) overview to understand how to first setup Vault and Consul on Kubernetes to leverage Vault as a secrets backend.
|
|
|