docs: Clarification of Vault Consul K8s requirements for Auth Method (#11929)

* docs: Clarification of Vault Consul K8s requirements

* link back to requirements

* Update gossip.mdx

* Update index.mdx

* add details for K8s auth method requirement

* Update gossip.mdx

* Update server-tls.mdx

* Update connect-ca.mdx

* Update gossip.mdx

* Update server-tls.mdx

* Update website/content/docs/k8s/installation/vault/gossip.mdx

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>

* Update website/content/docs/k8s/installation/vault/index.mdx

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>

* Update website/content/docs/k8s/installation/vault/index.mdx

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>

* Update website/content/docs/k8s/installation/vault/index.mdx

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>

* Update website/content/docs/k8s/installation/vault/server-tls.mdx

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>

* Update website/content/docs/k8s/installation/vault/index.mdx

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>

* Update website/content/docs/k8s/installation/vault/index.mdx

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>

* Update index.mdx

* Update index.mdx

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
pull/11932/head
David Yu 2022-01-03 14:17:55 -08:00 committed by GitHub
parent 092436f927
commit 6bef2b2eb4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 39 additions and 10 deletions

View File

@ -11,6 +11,8 @@ description: >-
Consul allows using Kubernetes auth methods to configure Connect CA.
This allows for automatic token rotation once the renewal is no longer possible.
In order to create Vault auth roles for the Consul servers for this feature, ensure that the Vault Kubernetes auth method is enabled as described in [Vault Kubernetes Auth Method](/docs/k8s/installation/vault#vault-kubernetes-auth-method).
To configure [Vault as the provider](/docs/connect/ca/vault) for the Consul service certificates,
you will first need to decide on the type of policy that is suitable for you.
To see the permissions that Consul would need in Vault, please see [Vault ACL policies](/docs/connect/ca/vault#vault-acl-policies)

View File

@ -34,11 +34,7 @@ path "secret/data/consul/gossip" {
vault policy write gossip-policy gossip-policy.hcl
```
Prior to creating auth roles for the Consul server and client, ensure that the Vault Kubernetes auth method is enabled:
```shell-session
vault auth enable kubernetes
```
Prior to creating Vault auth roles for the Consul servers and clients, ensure that the Vault Kubernetes auth method is enabled as described in [Vault Kubernetes Auth Method](/docs/k8s/installation/vault#vault-kubernetes-auth-method).
Next, we will create Kubernetes auth roles for the Consul server and client:

View File

@ -25,12 +25,47 @@ At a high level, there are two points of integration with Vault:
1. `global.tls.enableAutoencrypt=true` is required if TLS is enabled for the Consul installation when using the Vault secrets backend.
1. The Vault installation must have been initialized, unsealed and the KV2 and PKI secrets engines enabled and the Kubernetes Auth Method enabled.
### Vault Helm Config
A minimal valid installation of Vault must include the Agent Injector:
```yaml
injector:
enabled: "true"
```
### Vault Kubernetes Auth Method
Prior to creating Vault auth roles for the Consul servers and clients, ensure that the Vault Kubernetes auth method is enabled:
```shell-session
$ vault auth enable kubernetes
```
After enabling the Kubernetes auth method, in Vault, ensure that you have configured the Kubernetes Auth method properly as described in [Kubernetes Auth Method Configuration](https://www.vaultproject.io/docs/auth/kubernetes#configuration). The command should look simliar to the following with a custom `kubernetes_host` config provided from the information provided via `kubectl cluster-info`.
```shell-session
$ vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
```
### Vault KV Secrets Engine - Version 2
In order to utlize Vault as a secrets backend, we must enable thne [Vault KV secrets engine - Version 2](https://www.vaultproject.io/docs/secrets/kv/kv-v2).
```shell-session
$ vault secrets enable -path=consul kv-v2
```
### Vault PKI Engine
The Vault PKI Engine must be enabled in order to leverage Vault for issuiing Consul Server TLS certificates. More details for configuring the PKI Engine is found in [Bootstrapping the PKI Engine](https://www.consul.io/docs/k8s/installation/vault/server-tls#bootstrapping-the-pki-engine) under the Server TLS section.
```shell-session
$ vault secrets enable pki
```
## Known Limitations
- TLS

View File

@ -100,11 +100,7 @@ export DATACENTER=dc1
echo allowed_domains=\"$DATACENTER.consul, $NAME-server, $NAME-server.$NAMESPACE, $NAME-server.$NAMESPACE.svc\"
```
Prior to creating the Kubernetes auth roles required for Consul to securely access Vault, ensure that the Vault Kubernetes Auth method is enabled:
```shell-session
vault auth enable kubernetes
```
Prior to creating Vault auth roles for the Consul server and the Consul components, ensure that the Vault Kubernetes auth method is enabled as described in [Vault Kubernetes Auth Method](/docs/k8s/installation/vault#vault-kubernetes-auth-method).
Finally, two Kubernetes auth roles need to be created, one for the Consul servers and one for the Consul components: