github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
consul/website/content/docs/k8s/installation/vault/enterprise-license.mdx

99 lines
3.2 KiB
Markdown
Raw Blame History

---
layout: docs
page_title: Storing Enterprise License in Vault
description: >-
Configuring the Consul Helm chart to use enterprise license stored in Vault.
---
# Storing the Enterprise License in Vault
To use an enterprise license stored in Vault, the steps will be similar to [Storing Gossip Encryption Key in Vault](/docs/k8s/installation/vault/gossip). You need to do the following:
1. Store an enterprise license key in Vault's KV2 secrets engine.
1. Create Vault Policies that allow read access to the key.
1. Create a Vault Kubernetes Auth Role that links policies from step 2 to the Kubernetes service accounts of the Consul servers and clients.
## Configuring Vault
First, store the license key in Vault:
```shell-session
$ vault kv put secret/consul/enterpriselicense key="<enterprise license>"
```
Next, you will need to create a policy that allows read access to this secret:
<CodeBlockConfig filename="enterpriselicense-policy.hcl">
```HCL
path "secret/data/consul/enterpriselicense" {
capabilities = ["read"]
}
```
</CodeBlockConfig>
```shell-session
$ vault policy write enterpriselicense-policy enterpriselicense-policy.hcl
```
Prior to creating Vault auth roles for the Consul servers and clients, ensure that the Vault Kubernetes auth method is enabled as described in [Vault Kubernetes Auth Method](/docs/k8s/installation/vault#vault-kubernetes-auth-method).
Next, you will create Kubernetes auth roles for the Consul server and client:
```shell-session
$ vault write auth/kubernetes/role/consul-server \
bound_service_account_names=<Consul server service account> \
bound_service_account_namespaces=<Consul installation namespace> \
policies=enterpriselicense-policy \
ttl=1h
```
```shell-session
$ vault write auth/kubernetes/role/consul-client \
bound_service_account_names=<Consul client service account> \
bound_service_account_namespaces=<Consul installation namespace> \
policies=enterpriselicense-policy \
ttl=1h
```
To find out the service account names of the Consul server and client,
you can run the following `helm template` commands with your Consul on Kubernetes values file:
- Generate Consul server service account name
```shell-session
$ helm template --release-name ${RELEASE_NAME} -s templates/server-serviceaccount.yaml hashicorp/consul
```
- Generate Consul client service account name
```shell-session
$ helm template --release-name ${RELEASE_NAME} -s templates/client-serviceaccount.yaml hashicorp/consul
```
## Deploying the Consul Helm chart
Now that you have configured Vault, you can configure the Consul Helm chart to
use the enterprise license key in Vault:
<CodeBlockConfig filename="values.yaml">
```yaml
global:
secretsBackend:
vault:
enabled: true
consulServerRole: consul-server
consulClientRole: consul-client
enterpriseLicense:
secretName: secret/data/consul/enterpriselicense
secretKey: key
```
</CodeBlockConfig>
Note that `global.enterpriseLicense.secretName` is the path of the secret in Vault.
This should be the same path as the one you included in your Vault policy.
`global.enterpriseLicense.secretKey` is the key inside the secret data. This should be the same
as the key you passed when creating the enterprise license secret in Vault.
Reference in New Issue View Git Blame Copy Permalink