mirror of https://github.com/hashicorp/consul
55 lines
2.8 KiB
Plaintext
55 lines
2.8 KiB
Plaintext
|
---
|
||
|
layout: docs
|
||
|
page_title: Vault as the Secrets Backend Overview
|
||
|
description: >-
|
||
|
Using Vault as the secrets backend for Consul on Kubernetes.
|
||
|
---
|
||
|
|
||
|
# Vault as the Secrets Backend Overview
|
||
|
|
||
|
By default, Consul Helm chart will expect that any credentials it needs are stored as Kubernetes secrets.
|
||
|
As of Consul 1.11 and Consul Helm chart v0.38.0, we integrate more natively with Vault making it easier
|
||
|
to use Consul Helm chart with Vault as the secrets storage backend.
|
||
|
|
||
|
## Secrets Overview
|
||
|
|
||
|
By default, Consul on Kubernetes leverages Kubernetes secrets which are base64 encoded and unencrypted. In addition, the following limitations exist with managing sensitive data within Kubernetes secrets:
|
||
|
|
||
|
- There are no lease or time-to-live properties associated with these secrets.
|
||
|
- Kubernetes can only manage resources, such as secrets, within a cluster boundary. If you have sets of clusters, the resources across them need to be managed separately.
|
||
|
|
||
|
By leveraging Vault as a secrets backend for Consul on Kubernetes, you can now manage and store Consul related secrets within a centralized Vault cluster to use across one or many Consul on Kubernetes datacenters.
|
||
|
|
||
|
### Secrets stored in the Vault KV Secrets Engine
|
||
|
|
||
|
The following secrets can be stored in Vault KV secrets engine, which is meant to handle arbitrary secrets:
|
||
|
- ACL Bootstrap token
|
||
|
- ACL Partition token
|
||
|
- ACL Replication token
|
||
|
- Enterprise license
|
||
|
- Gossip encryption key
|
||
|
- Snapshot Agent config
|
||
|
|
||
|
|
||
|
### Secrets generated and managed by the Vault PKI Engine
|
||
|
|
||
|
The following TLS certificates and keys can be generated and managed by the Vault PKI Engine, which is meant to handle things like certificate expiration and rotation:
|
||
|
- Server TLS credentials
|
||
|
- Service Mesh and Consul client TLS credentials
|
||
|
|
||
|
## Requirements
|
||
|
|
||
|
1. Vault 1.9+ and Vault-k8s 0.14+ is required.
|
||
|
1. Vault must be installed and accessible to the Consul on Kubernetes installation.
|
||
|
1. `global.tls.enableAutoencrypt=true` is required if TLS is enabled for the Consul installation when using the Vault secrets backend.
|
||
|
1. The Vault installation must have been initialized, unsealed and the KV2 and PKI secrets engines and the Kubernetes Auth Method enabled.
|
||
|
## Next Steps
|
||
|
|
||
|
The Vault integration with Consul on Kubernetes has two aspects or phases:
|
||
|
- [Systems Integration](/docs/k8s/installation/vault/systems-integration) - Configure Vault and Consul on Kubernetes systems to leverage Vault as the secrets store.
|
||
|
- [Data Integration](/docs/k8s/installation/vault/data-integration) - Configure specific secrets to be stored and
|
||
|
retrieved from Vault for use with Consul on Kubernetes.
|
||
|
|
||
|
As a next step, please proceed to [Systems Integration](/docs/k8s/installation/vault/systems-integration) overview to understand how to first setup Vault and Consul on Kubernetes to leverage Vault as a secrets backend.
|
||
|
|