2021-12-15 18:59:36 +00:00
---
layout: docs
2022-04-07 18:16:24 +00:00
page_title: Storing the Gossip Encryption Key in Vault
2021-12-15 18:59:36 +00:00
description: >-
2022-04-07 18:16:24 +00:00
Configuring the Consul Helm chart to use a gossip encryption key stored in Vault.
2021-12-15 18:59:36 +00:00
---
# Storing Gossip Encryption Key in Vault
2022-07-15 16:35:42 +00:00
This topic describes how to configure the Consul Helm chart to use TLS certificates issued by Vault in the Consul controller and connect inject webhooks.
2022-04-07 18:16:24 +00:00
## Overview
2022-10-11 14:58:52 +00:00
Complete the steps outlined in the [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration) section to use a gossip encryption key stored in Vault.
2021-12-15 18:59:36 +00:00
2022-07-15 16:35:42 +00:00
Complete the following steps once:
2022-04-07 18:16:24 +00:00
1. Store the secret in Vault.
1. Create a Vault policy that authorizes the desired level of access to the secret.
2022-07-15 16:35:42 +00:00
Repeat the following steps for each datacenter in the cluster:
2022-04-07 18:16:24 +00:00
1. Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access.
2022-06-17 16:23:54 +00:00
1. Update the Consul on Kubernetes helm chart.
## Prerequisites
Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have:
2022-10-11 14:58:52 +00:00
1. Read and completed the steps in the [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
2. Read the [Data Integration Overview](/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
2021-12-15 18:59:36 +00:00
2022-07-15 16:35:42 +00:00
## Store the Secret in Vault
First, generate and store the gossip key in Vault. You will only need to perform this action once:
2021-12-15 18:59:36 +00:00
```shell-session
2022-01-21 19:01:48 +00:00
$ vault kv put secret/consul/gossip key="$(consul keygen)"
2021-12-15 18:59:36 +00:00
```
2022-07-15 16:35:42 +00:00
## Create Vault policy
2021-12-15 18:59:36 +00:00
2022-07-15 16:35:42 +00:00
Next, create a policy that allows read access to this secret.
2021-12-15 18:59:36 +00:00
2022-07-15 16:35:42 +00:00
The path to the secret referenced in the `path` resource is the same value that you will configure in the `global.gossipEncryption.secretName` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)).
2022-01-21 19:01:48 +00:00
<CodeBlockConfig filename="gossip-policy.hcl">
```HCL
2021-12-15 18:59:36 +00:00
path "secret/data/consul/gossip" {
capabilities = ["read"]
}
```
2022-01-21 19:01:48 +00:00
</CodeBlockConfig>
2022-04-07 18:16:24 +00:00
Apply the Vault policy by issuing the `vault policy write` CLI command:
2021-12-15 18:59:36 +00:00
```shell-session
2022-01-21 19:01:48 +00:00
$ vault policy write gossip-policy gossip-policy.hcl
2021-12-15 18:59:36 +00:00
```
2022-07-15 16:35:42 +00:00
## Create Vault Authorization Roles for Consul
2021-12-15 18:59:36 +00:00
Next, we will create Kubernetes auth roles for the Consul server and client:
```shell-session
2022-01-21 19:01:48 +00:00
$ vault write auth/kubernetes/role/consul-server \
2021-12-15 18:59:36 +00:00
bound_service_account_names=<Consul server service account> \
bound_service_account_namespaces=<Consul installation namespace> \
policies=gossip-policy \
ttl=1h
```
```shell-session
2022-01-21 19:01:48 +00:00
$ vault write auth/kubernetes/role/consul-client \
2021-12-15 18:59:36 +00:00
bound_service_account_names=<Consul client service account> \
bound_service_account_namespaces=<Consul installation namespace> \
policies=gossip-policy \
ttl=1h
```
To find out the service account names of the Consul server and client,
you can run the following `helm template` commands with your Consul on Kubernetes values file:
2022-01-21 19:01:48 +00:00
- Generate Consul server service account name
```shell-session
2022-09-30 16:13:44 +00:00
$ helm template --release-name ${RELEASE_NAME} -s templates/server-serviceaccount.yaml hashicorp/consul -f values.yaml
2022-01-21 19:01:48 +00:00
```
- Generate Consul client service account name
```shell-session
2022-09-30 16:13:44 +00:00
$ helm template --release-name ${RELEASE_NAME} -s templates/client-serviceaccount.yaml hashicorp/consul -f values.yaml
2022-01-21 19:01:48 +00:00
```
2021-12-15 18:59:36 +00:00
2022-07-15 16:35:42 +00:00
## Update Consul on Kubernetes Helm chart
2021-12-15 18:59:36 +00:00
Now that we've configured Vault, you can configure the Consul Helm chart to
use the gossip key in Vault:
2022-01-21 19:01:48 +00:00
<CodeBlockConfig filename="values.yaml">
2021-12-15 18:59:36 +00:00
```yaml
global:
secretsBackend:
vault:
enabled: true
consulServerRole: consul-server
consulClientRole: consul-client
2022-01-06 05:35:28 +00:00
gossipEncryption:
secretName: secret/data/consul/gossip
secretKey: key
2021-12-15 18:59:36 +00:00
```
2022-01-21 19:01:48 +00:00
</CodeBlockConfig>
2021-12-15 18:59:36 +00:00
Note that `global.gossipEncryption.secretName` is the path of the secret in Vault.
This should be the same path as the one you'd include in your Vault policy.
`global.gossipEncryption.secretKey` is the key inside the secret data. This should be the same
as the key we passed when we created the gossip secret in Vault.
