Recommend using vault token auto-renew in 1.8.5 (#8945)

This commit is contained in:
Luke Kysow 2020-10-13 16:18:19 -07:00 committed by GitHub
parent 10c28dd56a
commit 4cdb2ca066
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 1 deletions

View File

@ -27,6 +27,12 @@ and `ca_provider` values for the provider you're using.
## Configuring Vault as a Connect CA
-> **NOTE:** If using Vault as your Connect CA, it's highly recommended to run a Consul version >= 1.8.5 that supports
token auto-renewal. With this feature, if the Vault token is [renewable](https://www.vaultproject.io/api-docs/auth/token#renewable)
then Consul will automatically renew the token periodically. Without this feature, you
will need to [manually rotate](#manually-rotating-vault-tokens) the Vault
token before it expires.
### Primary Datacenter
To configure Vault as a CA provider for Consul Connect,
@ -34,6 +40,8 @@ first, create a provider configuration JSON file.
Please refer to [Vault as a Connect CA](/docs/connect/ca/vault) for the configuration options.
You will need to provide a Vault token to the `token` property.
Please refer to [these docs](/docs/connect/ca/vault#token) for the permissions that the token needs to have.
This token should be [renewable](https://www.vaultproject.io/api-docs/auth/token#renewable).
To provide a CA, you first need to create a Kubernetes secret containing the CA.
For example, you may create a secret with the Vault CA like so:
@ -160,8 +168,18 @@ Vault's CA in each secondary Kubernetes cluster.
Note that all secondary datacenters need to have access to the same Vault instance as the primary.
### Rotating Vault Tokens
### Manually Rotating Vault Tokens
If running Consul < 1.8.5 or using a Vault token that is not [renewable](https://www.vaultproject.io/api-docs/auth/token#renewable)
then you will need to manually renew or rotate the Vault token before it expires.
#### Rotating Vault Token
Once the cluster is running, subsequent changes to the `ca_provider` config are **ignored**even if `consul reload` is run or the servers are restarted.
To update any settings under this key, you must use Consul's [Update CA Configuration](/api/connect/ca#update-ca-configuration) API or the [`consul connect ca set-config`](https://www.consul.io/docs/commands/connect/ca#set-config) command.
#### Renewing Vault Token
To renew the Vault token, use the [`vault token renew`](https://www.vaultproject.io/docs/commands/token/renew) CLI command
or API.