consul/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx

116 lines
4.2 KiB
Plaintext

---
layout: docs
page_title: Storing the Enterprise License in Vault
description: >-
Configuring the Consul Helm chart to use an enterprise license stored in Vault.
---
# Storing the Enterprise License in Vault
This topic describes how to configure the Consul Helm chart to use an enterprise license stored in Vault.
## Overview
Complete the steps outlined in the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) section to use an enterprise license stored in Vault.
Complete the following steps once:
1. Store the secret in Vault.
1. Create a Vault policy that authorizes the desired level of access to the secret.
Repeat the following steps for each datacenter in the cluster:
1. Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access.
1. Update the Consul on Kubernetes helm chart.
## Prerequisites
Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have:
1. Read and completed the steps in the [Systems Integration](/consul/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault).
2. Read the [Data Integration Overview](/consul/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault).
## Store the Secret in Vault
First, store the enterprise license in Vault:
```shell-session
$ vault kv put consul-kv/secret/enterpriselicense key="<enterprise license>"
```
## Create Vault policy
Next, you will need to create a policy that allows read access to this secret.
The path to the secret referenced in the `path` resource is the same value that you will configure in the `global.enterpriseLicense.secretName` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)).
<CodeBlockConfig filename="license-policy.hcl">
```HCL
path "consul-kv/data/secret/enterpriselicense" {
capabilities = ["read"]
}
```
</CodeBlockConfig>
Apply the Vault policy by issuing the `vault policy write` CLI command:
```shell-session
$ vault policy write license-policy license-policy.hcl
```
## Create Vault Authorization Roles for Consul
Next, you will create Kubernetes auth roles for the Consul server and client:
```shell-session
$ vault write auth/kubernetes/role/consul-server \
bound_service_account_names=<Consul server service account> \
bound_service_account_namespaces=<Consul installation namespace> \
policies=license-policy \
ttl=1h
```
```shell-session
$ vault write auth/kubernetes/role/consul-client \
bound_service_account_names=<Consul client service account> \
bound_service_account_namespaces=<Consul installation namespace> \
policies=license-policy \
ttl=1h
```
To find out the service account names of the Consul server and client,
you can run the following `helm template` commands with your Consul on Kubernetes values file:
- Generate Consul server service account name
```shell-session
$ helm template --release-name ${RELEASE_NAME} -s templates/server-serviceaccount.yaml hashicorp/consul -f values.yaml
```
- Generate Consul client service account name
```shell-session
$ helm template --release-name ${RELEASE_NAME} -s templates/client-serviceaccount.yaml hashicorp/consul -f values.yaml
```
## Update Consul on Kubernetes Helm chart.
Now that you have configured Vault, you can configure the Consul Helm chart to
use the enterprise enterprise license in Vault:
<CodeBlockConfig filename="values.yaml">
```yaml
global:
image: hashicorp/consul-enterprise:1.12.0-ent
secretsBackend:
vault:
enabled: true
consulServerRole: consul-server
consulClientRole: consul-client
enterpriseLicense:
secretName: consul-kv/data/secret/enterpriselicense
secretKey: key
```
</CodeBlockConfig>
Note that `global.enterpriseLicense.secretName` is the path of the secret in Vault.
This should be the same path as the one you included in your Vault policy.
`global.enterpriseLicense.secretKey` is the key inside the secret data. This should be the same
as the key you passed when creating the enterprise license secret in Vault.