docs: provide more example CLI commands and reference Vault (#11528)

* docs: provide more example CLI commands and reference Vault * Extra formatting * Update website/content/docs/k8s/operations/gossip-encryption-key-rotation.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> * Update website/content/docs/k8s/operations/gossip-encryption-key-rotation.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> * Update website/content/docs/k8s/operations/gossip-encryption-key-rotation.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> * Update website/content/docs/k8s/operations/gossip-encryption-key-rotation.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> * Update website/content/docs/k8s/operations/gossip-encryption-key-rotation.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> * Update website/content/docs/k8s/operations/gossip-encryption-key-rotation.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> * adding more detail around gossip encryption rotation precautions * Update website/content/docs/k8s/operations/gossip-encryption-key-rotation.mdx Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>
2021-11-10 12:05:20 -08:00 · 2021-11-10 12:05:20 -08:00 · f1d1c12ad5
parent 0c5fdb167d
commit f1d1c12ad5
1 changed files with 101 additions and 80 deletions
--- a/website/content/docs/k8s/operations/gossip-encryption-key-rotation.mdx
+++ b/website/content/docs/k8s/operations/gossip-encryption-key-rotation.mdx
@ -8,113 +8,134 @@ description: Rotate the Gossip Encryption Key on Kubernetes Cluster safely
 The following instructions provides a step-by-step manual process for rotating [gossip encryption](/docs/security/encryption#gossip-encryption) keys on Consul clusters that are deployed onto a Kubernetes cluster with Consul on Kubernetes.
-  **Note:** In case of federated Consul clusters, perform the following steps in the primary datacenter.
+The following steps should only be performed in the *primary datacenter* if your Consul clusters are [federated](https://www.consul.io/docs/k8s/installation/multi-cluster/kubernetes). Rotating the gossip encryption in the primary datacenter will automatically rotate the gossip encryption in the secondary datacenters. 
-1. Generate a new key:
+-> **Note:** Careful precaution should be taken to prohibit new clients from joining during the gossip encryption rotation process, otherwise the new clients will join the gossip pool without knowledge of the new primary gossip encryption key. In addition, deletion of a gossip encryption key from the keyring should occur only after clients have safely migrated to utilizing the new gossip encryption key for communication. 
-  ```shell-session
+1. (Optional) If Consul is installed in a dedicated namespace, set the kubeConfig context to the consul namespace. Otherwise, subsequent commands will need to include -n consul.
  consul keygen
  ```
  This should generate a new key which can be used as the gossip encryption key. In this example, we will be using
  `Wa6/XFAnYy0f9iqVH2iiG+yore3CqHSemUy4AIVTa/w=` as the replacement gossip encryption key.
-2. Add new key to consul keyring.
+    ```shell-session
    kubectl config set-context --current --namespace=consul
    ```
 1. Generate a new key and store in safe place for retrieval in the future ([Vault KV Secrets Engine](https://www.vaultproject.io/docs/secrets/kv/kv-v2#usage) is a recommended option). 
-  `kubectl exec` into a Consul Agent pod (Server or Client) and add the new key to the Consul Keyring. This can be performed by running the following command:
+    ```shell-session
    consul keygen
    ```
-  **Note:** If ACLs are enabled, export the bootstrap token as the CONSUL_HTTP_TOKEN to perform all `consul keyring` operations. The bootstrap token can be found in the Kubernetes secret `consul-bootstrap-acl-token` of the primary datacenter.
+    This should generate a new key which can be used as the gossip encryption key. In this example, we will be using
    `Wa6/XFAnYy0f9iqVH2iiG+yore3CqHSemUy4AIVTa/w=` as the replacement gossip encryption key.
-  ```shell-session
+1. Add new key to consul keyring.
  consul keyring -install="Wa6/XFAnYy0f9iqVH2iiG+yore3CqHSemUy4AIVTa/w="
  ==> Installing new gossip encryption key...
  ```
  Consul automatically propagates this encryption key across all Clients and Servers across the cluster and the federation if Consul federation is enabled.
-  List the keys in the keyring to verify the new key has been installed successfully.
+    1. `kubectl exec` into a Consul Agent pod (Server or Client) and add the new key to the Consul Keyring. This can be performed by running the following command:
-  ```shell-session
+        ```shell-session
-  consul keyring -list
+        kubectl exec -it consul-server-0 -- /bin/sh
-  ==> Gathering installed encryption keys...
+        ```
-  WAN:
+    1. **Note:** If ACLs are enabled, export the bootstrap token as the CONSUL_HTTP_TOKEN to perform all `consul keyring` operations. The bootstrap token can be found in the Kubernetes secret `consul-bootstrap-acl-token` of the primary datacenter.
    CL6M+jKj3630CZLXI0IRVeyci1jgIAveiZKvdtTybbA= [2/2]
    Wa6/XFAnYy0f9iqVH2iiG+yore3CqHSemUy4AIVTa/w= [2/2]
-  dc1 (LAN):
+        ```shell-session
-    CL6M+jKj3630CZLXI0IRVeyci1jgIAveiZKvdtTybbA= [4/4]
+        export CONSUL_HTTP_TOKEN=<INSERT BOOTSTRAP ACL TOKEN>
-    Wa6/XFAnYy0f9iqVH2iiG+yore3CqHSemUy4AIVTa/w= [4/4]
+        ```
-  dc2 (LAN):
+    1. Install the new Gossip encryption key with the `consul keyring` command:
    CL6M+jKj3630CZLXI0IRVeyci1jgIAveiZKvdtTybbA= [4/4]
    Wa6/XFAnYy0f9iqVH2iiG+yore3CqHSemUy4AIVTa/w= [4/4]
  ```
-3. Use the new key as the gossip encryption key.
+        ```shell-session
        consul keyring -install="Wa6/XFAnYy0f9iqVH2iiG+yore3CqHSemUy4AIVTa/w="
        ==> Installing new gossip encryption key...
        ```
        Consul automatically propagates this encryption key across all clients and servers across the cluster and the federation if Consul federation is enabled.
-  Once the new key has been added to the keychain, you can install it as the new gossip encryption key. In order to do so
+    1. List the keys in the keyring to verify the new key has been installed successfully.
  run the following while remaining `kubectl exec`'d in the Consul Agent pod.
-  ```shell-session
+        ```shell-session
-  consul keyring -use="Wa6/XFAnYy0f9iqVH2iiG+yore3CqHSemUy4AIVTa/w="
+        consul keyring -list
-  ==> Changing primary gossip encryption key...
+        ==> Gathering installed encryption keys...
  ```
-  You can ensure that the key has been propagated to all agents by verifying the number of agents that recognize the key over the number of total agents in the datacenter. Listing them provides that information.
+        WAN:
          CL6M+jKj3630CZLXI0IRVeyci1jgIAveiZKvdtTybbA= [2/2]
          Wa6/XFAnYy0f9iqVH2iiG+yore3CqHSemUy4AIVTa/w= [2/2]
-  ```shell-session
+        dc1 (LAN):
-  consul keyring -list
+          CL6M+jKj3630CZLXI0IRVeyci1jgIAveiZKvdtTybbA= [4/4]
-  ==> Gathering installed encryption keys...
+          Wa6/XFAnYy0f9iqVH2iiG+yore3CqHSemUy4AIVTa/w= [4/4]
-  WAN:
+        dc2 (LAN):
-    CL6M+jKj3630CZLXI0IRVeyci1jgIAveiZKvdtTybbA= [2/2]
+          CL6M+jKj3630CZLXI0IRVeyci1jgIAveiZKvdtTybbA= [4/4]
-    Wa6/XFAnYy0f9iqVH2iiG+yore3CqHSemUy4AIVTa/w= [2/2]
+          Wa6/XFAnYy0f9iqVH2iiG+yore3CqHSemUy4AIVTa/w= [4/4]
        ```
-  dc1 (LAN):
+1. Use the new key as the gossip encryption key.
    CL6M+jKj3630CZLXI0IRVeyci1jgIAveiZKvdtTybbA= [4/4]
    Wa6/XFAnYy0f9iqVH2iiG+yore3CqHSemUy4AIVTa/w= [4/4]
-  dc2 (LAN):
+    1. After the new key has been added to the keychain, you can install it as the new gossip encryption key. Run the following command in the Consul Agent pod using `kubectl exec`:
    CL6M+jKj3630CZLXI0IRVeyci1jgIAveiZKvdtTybbA= [4/4]
    Wa6/XFAnYy0f9iqVH2iiG+yore3CqHSemUy4AIVTa/w= [4/4]
  ```
-4. Update the Kubernetes secrets with the latest gossip encryption key.
+        ```shell-session
        consul keyring -use="Wa6/XFAnYy0f9iqVH2iiG+yore3CqHSemUy4AIVTa/w="
        ==> Changing primary gossip encryption key...
        ```
-  In order for subsequent `helm upgrades` commands to be successfully executed without unexpected behavior, it is important to update the gossip encryption Kubernetes Secret with
+    1. You can ensure that the key has been propagated to all agents by verifying the number of agents that recognize the key over the number of total agents in the datacenter. Listing them provides that information.
  the value of the new gossip encryption key.
-  The name of the secret which stores the value of the gossip encryption key can be found in the Helm values file:
+        ```shell-session
-  ```yaml
+        consul keyring -list
-  global:
+        ==> Gathering installed encryption keys...
    gossipEncryption:
       secretName: consul-gossip-encryption-key
       secretKey: key
  ```
-  ```shell-session
+        WAN:
-  kubectl patch secret consul-gossip-encryption-key -p '{"stringData":{"key": "Wa6/XFAnYy0f9iqVH2iiG+yore3CqHSemUy4AIVTa/w="}}'
+          CL6M+jKj3630CZLXI0IRVeyci1jgIAveiZKvdtTybbA= [2/2]
-  ```
+          Wa6/XFAnYy0f9iqVH2iiG+yore3CqHSemUy4AIVTa/w= [2/2]
-  **Note:** In the case of federated Consul clusters, update the federation-secret value for the gossip encryption key. The name of the secret and key can be found in the values file of the secondary datacenter.
+        dc1 (LAN):
          CL6M+jKj3630CZLXI0IRVeyci1jgIAveiZKvdtTybbA= [4/4]
          Wa6/XFAnYy0f9iqVH2iiG+yore3CqHSemUy4AIVTa/w= [4/4]
-  ```yaml
+        dc2 (LAN):
-  global:
+          CL6M+jKj3630CZLXI0IRVeyci1jgIAveiZKvdtTybbA= [4/4]
-     gossipEncryption:
+          Wa6/XFAnYy0f9iqVH2iiG+yore3CqHSemUy4AIVTa/w= [4/4]
-       secretName: consul-federation
+        ```
       secretKey: gossipEncryptionKey
  ```
-  ```shell-session
+1. Update the Kubernetes secrets with the latest gossip encryption key.
  kubectl patch secret consul-federation -p '{"stringData":{"gossipEncryptionKey": "Wa6/XFAnYy0f9iqVH2iiG+yore3CqHSemUy4AIVTa/w="}}'
  ```
-5. Remove the old key once the new one has been installed successfully.
+    Update the gossip encryption Kubernetes Secret with the value of the new gossip encryption key to ensure that subsequent `helm upgrades` commands execute successfully.
    The name of the secret that stores the value of the gossip encryption key can be found in the Helm values file:
    ```yaml
    global:
      gossipEncryption:
         secretName: consul-gossip-encryption-key
         secretKey: key
    ```
-  `kubectl exec` into a Consul Agent pod (Server or Client) and add the new key to the Consul Keyring. This can be performed by running the following command:
+    ```shell-session
    kubectl patch secret consul-gossip-encryption-key -p '{"stringData":{"key": "Wa6/XFAnYy0f9iqVH2iiG+yore3CqHSemUy4AIVTa/w="}}'
    ```
-  **Note:** If ACLs are enabled, export the bootstrap token as the CONSUL_HTTP_TOKEN to perform all `consul keyring` operations.
+    **Note:** In the case of federated Consul clusters, update the federation-secret value for the gossip encryption key. The name of the secret and key can be found in the values file of the secondary datacenter.
-  ```shell-session
+    ```yaml
-  consul keyring -remove="CL6M+jKj3630CZLXI0IRVeyci1jgIAveiZKvdtTybbA="
+    global:
-  ==> Removing gossip encryption key...
+       gossipEncryption:
-  ```
+         secretName: consul-federation
         secretKey: gossipEncryptionKey
    ```
    ```shell-session
    kubectl patch secret consul-federation -p '{"stringData":{"gossipEncryptionKey": "Wa6/XFAnYy0f9iqVH2iiG+yore3CqHSemUy4AIVTa/w="}}'
    ```
 1. Remove the old key once the new one has been installed successfully.
    1. `kubectl exec` into a Consul Agent pod (server or client) and add the new key to the Consul Keyring. This can be performed by running the following command:
        ```shell-session
        kubectl exec -it consul-server-0 -- /bin/sh
        ```
    1. **Note:** If ACLs are enabled, export the bootstrap token as the CONSUL_HTTP_TOKEN to perform all `consul keyring` operations.
        ```shell-session
        export CONSUL_HTTP_TOKEN=<INSERT BOOTSTRAP ACL TOKEN>
        ```
    1. Remove old Gossip encryption key with the `consul keyring` command:
        ```shell-session
        consul keyring -remove="CL6M+jKj3630CZLXI0IRVeyci1jgIAveiZKvdtTybbA="
        ==> Removing gossip encryption key...
        ```