mirror of https://github.com/hashicorp/consul
Merge pull request #15033 from hashicorp/docs/fix-front-matter-typo
Docs/fix front matter typopull/14974/head
commit
588a196c86
|
@ -1,43 +1,31 @@
|
||||||
"---
|
---
|
||||||
layout: docs
|
layout: docs
|
||||||
page_title: Configure Certificate Authority (CA) for Consul on Kubernetes
|
page_title: Configure Certificate Authority (CA) for Consul on Kubernetes
|
||||||
description: >-
|
description: >-
|
||||||
Consul includes a built-in CA, but when bootstrapping a cluster on k8s, you can configure your service mesh to use a custom certificate provider instead. Learn how to configure Vault as an external CA in primary and secondary datacenters and manually rotate Vault tokens.
|
Consul includes a built-in CA, but when bootstrapping a cluster on k8s, you can configure your service mesh to use a custom certificate provider instead. Learn how to configure Vault as an external CA in primary and secondary datacenters and manually rotate Vault tokens.
|
||||||
---"
|
---
|
||||||
|
|
||||||
# Configure Certificate Authority (CA) for Consul on Kubernetes
|
# Configure Certificate Authority for Consul on Kubernetes
|
||||||
|
|
||||||
~> **NOTE:** The instructions below should only be used for initially bootstrapping a cluster with **Consul K8s 0.38.0+.**
|
If `connect` is enabled, the built-in Consul certificate authority (CA) is automatically enabled for the service mesh CA. You can use different CA providers with Consul service mesh. Refer to [Connect Certificate Management](/docs/connect/ca) for supported providers.
|
||||||
To update the Connect CA provider on an existing cluster or to update any properties, such as tokens, of the CA provider,
|
|
||||||
please use the [Update CA Configuration Endpoint](/api-docs/connect/ca#update-ca-configuration).
|
|
||||||
|
|
||||||
Consul has support for different certificate authority (CA) providers to be used with the Consul Service Mesh.
|
## Overview
|
||||||
Please see [Connect Certificate Management](/docs/connect/ca) for the information on the providers
|
|
||||||
we currently support.
|
|
||||||
|
|
||||||
If Connect is enabled, the built-in Consul CA is automatically enabled for the Connect CA.
|
You should only complete the following instructions during the initial cluster bootstrapping procedure with Consul K8s CLI 0.38.0 or later. To update the Consul service mesh CA provider on an existing cluster or to update any provider properties, such as tokens, refer to [Update CA Configuration Endpoint](/api-docs/connect/ca#update-ca-configuration).
|
||||||
To configure an external CA provider via the Consul Helm chart, you need to follow three steps:
|
|
||||||
|
To configure an external CA provider using the Consul Helm chart, complete the following steps:
|
||||||
|
|
||||||
1. Create a configuration file containing your provider information.
|
1. Create a configuration file containing your provider information.
|
||||||
1. Create a Kubernetes secret containing the configuration file.
|
1. Create a Kubernetes secret containing the configuration file.
|
||||||
1. Reference the Kubernetes secret in the [`server.extraVolumes`](/docs/k8s/helm#v-server-extravolumes) value in the Helm chart.
|
1. Reference the Kubernetes secret in the [`server.extraVolumes`](/docs/k8s/helm#v-server-extravolumes) value in the Helm chart.
|
||||||
|
|
||||||
To configure the Vault Connect Provider please see [Vault as the Service Mesh Certificate Provider on Kubernetes](/docs/k8s/deployment-configurations/vault/data-integration/connect-ca).
|
To configure the Vault service mesh provider, refer to [Vault as the Service Mesh Certificate Provider on Kubernetes](/docs/k8s/deployment-configurations/vault/data-integration/connect-ca).
|
||||||
|
|
||||||
|
|
||||||
~> **NOTE:** The following instructions are only valid for Consul-k8s 0.37.0 and prior.
|
|
||||||
|
|
||||||
Below we will go over the process for configuring Vault as the Connect CA.
|
|
||||||
However, other providers can similarly be configured during initial bootstrap of the cluster
|
|
||||||
by providing the appropriate [`ca_config`] and [`ca_provider`] values for the provider you're using.
|
|
||||||
|
|
||||||
## Configuring Vault as a Connect CA (Consul K8s 0.37.0 and earlier)
|
## Configuring Vault as a Connect CA (Consul K8s 0.37.0 and earlier)
|
||||||
|
|
||||||
-> **NOTE:** If using Vault as your Connect CA, it's highly recommended to run a Consul version >= 1.8.5 that supports
|
The following instructions are only valid for Consul K8s CLI 0.37.0 and prior. It describes how to configure Vault as the Connect CA. You can configure other providers during initial bootstrap of the cluster by providing the appropriate [`ca_config`] and [`ca_provider`] values for your provider.
|
||||||
token auto-renewal. With this feature, if the Vault token is [renewable](https://www.vaultproject.io/api-docs/auth/token#renewable)
|
|
||||||
then Consul will automatically renew the token periodically. Without this feature, you
|
-> **Auto-renewal:** If using Vault as your Connect CA, we strongly recommend Consul 1.8.5 or later, which includes support for token auto-renewal. If the Vault token is [renewable](https://www.vaultproject.io/api-docs/auth/token#renewable), then Consul automatically renews the token periodically. Otherwise, you must [manually rotate](#manually-rotating-vault-tokens) the Vault token before it expires.
|
||||||
will need to [manually rotate](#manually-rotating-vault-tokens) the Vault
|
|
||||||
token before it expires.
|
|
||||||
|
|
||||||
### Primary Datacenter
|
### Primary Datacenter
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue