From 141a43409ddd7ebc7f196533510850ce2682519f Mon Sep 17 00:00:00 2001
From: John Murret <john.murret@hashicorp.com>
Date: Wed, 23 Feb 2022 14:20:45 -0700
Subject: [PATCH] Adding documentation to store Enterprise License in Vault
 (#12375)

* Adding documentation to store Enterprise License in Vault

* Update website/content/docs/k8s/installation/vault/enterprise-license.mdx

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>

* Update website/content/docs/k8s/installation/vault/enterprise-license.mdx

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>

* Update website/content/docs/k8s/installation/vault/enterprise-license.mdx

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>

* Update website/content/docs/k8s/installation/vault/enterprise-license.mdx

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>

* Update website/content/docs/k8s/installation/vault/enterprise-license.mdx

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>

* Update website/content/docs/k8s/installation/vault/enterprise-license.mdx

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>

* Referencing Storing the Enterprise License in Vault from the Consul Enterprise installation instructions.

* Added missing words about stroing in Vault

* Update website/content/docs/k8s/installation/vault/enterprise-license.mdx

Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com>

* Clarifying that enterprise code block is just changes on top of your normal config.

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com>
---
 .../consul-enterprise.mdx                     |  5 +-
 .../installation/vault/enterprise-license.mdx | 98 +++++++++++++++++++
 website/data/docs-nav-data.json               |  4 +
 3 files changed, 106 insertions(+), 1 deletion(-)
 create mode 100644 website/content/docs/k8s/installation/vault/enterprise-license.mdx

diff --git a/website/content/docs/k8s/installation/deployment-configurations/consul-enterprise.mdx b/website/content/docs/k8s/installation/deployment-configurations/consul-enterprise.mdx
index 201257249..f27bf3baf 100644
--- a/website/content/docs/k8s/installation/deployment-configurations/consul-enterprise.mdx
+++ b/website/content/docs/k8s/installation/deployment-configurations/consul-enterprise.mdx
@@ -10,6 +10,8 @@ You can use this Helm chart to deploy Consul Enterprise by following a few extra
 
 Find the license file that you received in your welcome email. It should have a `.hclic` extension. You will use the contents of this file to create a Kubernetes secret before installing the Helm chart.
 
+-> **Note:** This guide assumes you are storing your license as a Kubernetes Secret. If you would like to store the enterprise license in Vault, please reference [Storing the Enterprise License in Vault](/docs/k8s/installation/vault/enterprise-license).
+
 You can use the following commands to create the secret with name `consul-ent-license` and key `key`:
 
 ```bash
@@ -45,7 +47,8 @@ server:
 
 </CodeBlockConfig>
 
-If the version of Consul is < 1.10, use the following config with the name and key of the secret you just created.
+If the version of Consul is < 1.10, use the following config with the name and key of the secret you just created. 
+(These values arerequired on top ofyour normal configuration.)
 
 -> **Note:** The value of `server.enterpriseLicense.enableLicenseAutoload` must be set to `false`.
 
diff --git a/website/content/docs/k8s/installation/vault/enterprise-license.mdx b/website/content/docs/k8s/installation/vault/enterprise-license.mdx
new file mode 100644
index 000000000..8cdd9f233
--- /dev/null
+++ b/website/content/docs/k8s/installation/vault/enterprise-license.mdx
@@ -0,0 +1,98 @@
+---
+layout: docs
+page_title: Storing Enterprise License in Vault
+description: >-
+  Configuring the Consul Helm chart to use enterprise license stored in Vault.
+---
+
+# Storing the Enterprise License in Vault
+
+To use an enterprise license stored in Vault, the steps will be similar to [Storing Gossip Encryption Key in Vault](/docs/k8s/installation/vault/gossip). You need to do the following:
+
+1. Store an enterprise license key in Vault's KV2 secrets engine.
+1. Create Vault Policies that allow read access to the key.
+1. Create a Vault Kubernetes Auth Role that links policies from step 2 to the Kubernetes service accounts of the Consul servers and clients.
+
+## Configuring Vault
+
+First, store the license key in Vault:
+
+```shell-session
+$ vault kv put secret/consul/enterpriselicense key="<enterprise license>"
+```
+
+Next, you will need to create a policy that allows read access to this secret:
+
+
+<CodeBlockConfig filename="enterpriselicense-policy.hcl">
+
+```HCL
+path "secret/data/consul/enterpriselicense" {
+  capabilities = ["read"]
+}
+```
+
+</CodeBlockConfig>
+
+```shell-session
+$ vault policy write enterpriselicense-policy enterpriselicense-policy.hcl
+```
+
+Prior to creating Vault auth roles for the Consul servers and clients, ensure that the Vault Kubernetes auth method is enabled as described in [Vault Kubernetes Auth Method](/docs/k8s/installation/vault#vault-kubernetes-auth-method).
+
+Next, you will create Kubernetes auth roles for the Consul server and client:
+
+```shell-session
+$ vault write auth/kubernetes/role/consul-server \
+    bound_service_account_names=<Consul server service account> \
+    bound_service_account_namespaces=<Consul installation namespace> \
+    policies=enterpriselicense-policy \
+    ttl=1h
+```
+
+```shell-session
+$ vault write auth/kubernetes/role/consul-client \
+    bound_service_account_names=<Consul client service account> \
+    bound_service_account_namespaces=<Consul installation namespace> \
+    policies=enterpriselicense-policy \
+    ttl=1h
+```
+
+To find out the service account names of the Consul server and client,
+you can run the following `helm template` commands with your Consul on Kubernetes values file:
+
+- Generate Consul server service account name
+  ```shell-session
+  $ helm template --release-name ${RELEASE_NAME} -s templates/server-serviceaccount.yaml hashicorp/consul
+  ```
+
+- Generate Consul client service account name
+  ```shell-session
+  $ helm template --release-name ${RELEASE_NAME} -s templates/client-serviceaccount.yaml hashicorp/consul
+  ```
+
+## Deploying the Consul Helm chart
+
+Now that you have configured Vault, you can configure the Consul Helm chart to
+use the enterprise license key in Vault:
+
+<CodeBlockConfig filename="values.yaml">
+
+```yaml
+global:
+  secretsBackend:
+    vault:
+      enabled: true
+      consulServerRole: consul-server
+      consulClientRole: consul-client
+  enterpriseLicense:
+    secretName: secret/data/consul/enterpriselicense
+    secretKey: key
+```
+
+</CodeBlockConfig>
+
+Note that `global.enterpriseLicense.secretName` is the path of the secret in Vault.
+This should be the same path as the one you included in your Vault policy.
+`global.enterpriseLicense.secretKey` is the key inside the secret data. This should be the same
+as the key you passed when creating the enterprise license secret in Vault.
diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json
index 2f8e251a3..07e9782ba 100644
--- a/website/data/docs-nav-data.json
+++ b/website/data/docs-nav-data.json
@@ -478,6 +478,10 @@
                 "title": "Gossip Encryption Key",
                 "path": "k8s/installation/vault/gossip"
               },
+              {
+                "title": "Enterprise License",
+                "path": "k8s/installation/vault/enterprise-license"
+              },
               {
                 "title": "Server TLS",
                 "path": "k8s/installation/vault/server-tls"