github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Recommend using vault token auto-renew in 1.8.5 (#8945)

pull/8950/head
Luke Kysow 2020-10-13 16:18:19 -07:00 committed by GitHub
parent 5861402d51
commit bfcd9a5ee3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
website/pages/docs/k8s/connect/connect-ca-provider.mdx
View File

@ -27,6 +27,12 @@ and `ca_provider` values for the provider you're using.
## Configuring Vault as a Connect CA ## Configuring Vault as a Connect CA
-> **NOTE:** If using Vault as your Connect CA, it's highly recommended to run a Consul version >= 1.8.5 that supports
token auto-renewal. With this feature, if the Vault token is [renewable](https://www.vaultproject.io/api-docs/auth/token#renewable)
then Consul will automatically renew the token periodically. Without this feature, you
will need to [manually rotate](#manually-rotating-vault-tokens) the Vault
token before it expires.
### Primary Datacenter ### Primary Datacenter
To configure Vault as a CA provider for Consul Connect, To configure Vault as a CA provider for Consul Connect,
@ -34,6 +40,8 @@ first, create a provider configuration JSON file.
Please refer to [Vault as a Connect CA](/docs/connect/ca/vault) for the configuration options. Please refer to [Vault as a Connect CA](/docs/connect/ca/vault) for the configuration options.
You will need to provide a Vault token to the `token` property. You will need to provide a Vault token to the `token` property.
Please refer to [these docs](/docs/connect/ca/vault#token) for the permissions that the token needs to have. Please refer to [these docs](/docs/connect/ca/vault#token) for the permissions that the token needs to have.
This token should be [renewable](https://www.vaultproject.io/api-docs/auth/token#renewable).
To provide a CA, you first need to create a Kubernetes secret containing the CA. To provide a CA, you first need to create a Kubernetes secret containing the CA.
For example, you may create a secret with the Vault CA like so: For example, you may create a secret with the Vault CA like so:
@ -160,8 +168,18 @@ Vault's CA in each secondary Kubernetes cluster.
Note that all secondary datacenters need to have access to the same Vault instance as the primary. Note that all secondary datacenters need to have access to the same Vault instance as the primary.
### Rotating Vault Tokens ### Manually Rotating Vault Tokens
If running Consul < 1.8.5 or using a Vault token that is not [renewable](https://www.vaultproject.io/api-docs/auth/token#renewable)
then you will need to manually renew or rotate the Vault token before it expires.
#### Rotating Vault Token
Once the cluster is running, subsequent changes to the `ca_provider` config are **ignored**even if `consul reload` is run or the servers are restarted. Once the cluster is running, subsequent changes to the `ca_provider` config are **ignored**even if `consul reload` is run or the servers are restarted.
To update any settings under this key, you must use Consul's [Update CA Configuration](/api/connect/ca#update-ca-configuration) API or the [`consul connect ca set-config`](https://www.consul.io/docs/commands/connect/ca#set-config) command. To update any settings under this key, you must use Consul's [Update CA Configuration](/api/connect/ca#update-ca-configuration) API or the [`consul connect ca set-config`](https://www.consul.io/docs/commands/connect/ca#set-config) command.
#### Renewing Vault Token
To renew the Vault token, use the [`vault token renew`](https://www.vaultproject.io/docs/commands/token/renew) CLI command
or API.