From c76598234ce282651135309ae1f0f760f3da0082 Mon Sep 17 00:00:00 2001 From: natemollica-dev <57850649+natemollica-nm@users.noreply.github.com> Date: Fri, 10 Mar 2023 12:45:32 -0800 Subject: [PATCH] Consul WAN Fed with Vault Secrets Backend document updates (#16597) * Consul WAN Fed with Vault Secrets Backend document updates * Corrected dc1-consul.yaml and dc2-consul.yaml file highlights * Update website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> * Update website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> --------- Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> --- .../vault/wan-federation.mdx | 27 +++++++++++++++---- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx b/website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx index 5c2badb09..a243269f5 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx @@ -311,12 +311,16 @@ Repeat the following steps for each datacenter in the cluster: 1. Update the Consul on Kubernetes helm chart. ### Secrets and Policies -1. Store the ACL Replication Token, Gossip Encryption Key, and Root CA certificate secrets in Vault. +1. Store the ACL bootstrap and replication tokens, gossip encryption key, and root CA certificate secrets in Vault. ```shell-session $ vault kv put consul/secret/gossip key="$(consul keygen)" ``` + ```shell-session + $ vault kv put consul/secret/bootstrap token="$(uuidgen | tr '[:upper:]' '[:lower:]')" + ``` + ```shell-session $ vault kv put consul/secret/replication token="$(uuidgen | tr '[:upper:]' '[:lower:]')" ``` @@ -334,6 +338,14 @@ Repeat the following steps for each datacenter in the cluster: EOF ``` + ```shell-session + $ vault policy write bootstrap-token - < + ```yaml global: @@ -460,8 +472,13 @@ Repeat the following steps for each datacenter in the cluster: secretName: pki/cert/ca federation: enabled: true + createFederationSecret: false acls: manageSystemACLs: true + createReplicationToken: true + boostrapToken: + secretName: consul/data/secret/bootstrap + secretKey: token replicationToken: secretName: consul/data/secret/replication secretKey: token @@ -611,7 +628,7 @@ Repeat the following steps for each datacenter in the cluster: -> **Note**: To configure Vault as the Connect CA in secondary datacenters, you need to make sure that the Root CA path is the same. The intermediate path is different for each datacenter. In the `connectCA` Helm configuration for a secondary datacenter, you can specify a `intermediatePKIPath` that is, for example, prefixed with the datacenter for which this configuration is intended (e.g. `dc2/connect-intermediate`). - + ```yaml global: @@ -673,4 +690,4 @@ Repeat the following steps for each datacenter in the cluster: ## Next steps You have completed the process of federating the secondary datacenter (dc2) with the primary datacenter (dc1) using Vault as the Secrets backend. To validate that everything is configured properly, please confirm that all pods within both datacenters are in a running state. -For further detail on specific Consul secrets that are available to be stored in Vault, please checkout the detailed information in the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) section of the [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault) area of the Consul on Kubernetes documentation. +For additional information about specific Consul secrets that you can store in Vault, refer to [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) in the [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault) documentation.