Consul WAN Fed with Vault Secrets Backend document updates (#16597)
* Consul WAN Fed with Vault Secrets Backend document updates * Corrected dc1-consul.yaml and dc2-consul.yaml file highlights * Update website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> * Update website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> --------- Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
This commit is contained in:
parent
7f7f28e69c
commit
c76598234c
|
@ -311,12 +311,16 @@ Repeat the following steps for each datacenter in the cluster:
|
||||||
1. Update the Consul on Kubernetes helm chart.
|
1. Update the Consul on Kubernetes helm chart.
|
||||||
|
|
||||||
### Secrets and Policies
|
### Secrets and Policies
|
||||||
1. Store the ACL Replication Token, Gossip Encryption Key, and Root CA certificate secrets in Vault.
|
1. Store the ACL bootstrap and replication tokens, gossip encryption key, and root CA certificate secrets in Vault.
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ vault kv put consul/secret/gossip key="$(consul keygen)"
|
$ vault kv put consul/secret/gossip key="$(consul keygen)"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
```shell-session
|
||||||
|
$ vault kv put consul/secret/bootstrap token="$(uuidgen | tr '[:upper:]' '[:lower:]')"
|
||||||
|
```
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ vault kv put consul/secret/replication token="$(uuidgen | tr '[:upper:]' '[:lower:]')"
|
$ vault kv put consul/secret/replication token="$(uuidgen | tr '[:upper:]' '[:lower:]')"
|
||||||
```
|
```
|
||||||
|
@ -334,6 +338,14 @@ Repeat the following steps for each datacenter in the cluster:
|
||||||
EOF
|
EOF
|
||||||
```
|
```
|
||||||
|
|
||||||
|
```shell-session
|
||||||
|
$ vault policy write bootstrap-token - <<EOF
|
||||||
|
path "consul/data/secret/bootstrap" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
```
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ vault policy write replication-token - <<EOF
|
$ vault policy write replication-token - <<EOF
|
||||||
path "consul/data/secret/replication" {
|
path "consul/data/secret/replication" {
|
||||||
|
@ -409,7 +421,7 @@ Repeat the following steps for each datacenter in the cluster:
|
||||||
$ vault write auth/kubernetes-dc1/role/server-acl-init \
|
$ vault write auth/kubernetes-dc1/role/server-acl-init \
|
||||||
bound_service_account_names=consul-server-acl-init \
|
bound_service_account_names=consul-server-acl-init \
|
||||||
bound_service_account_namespaces="default" \
|
bound_service_account_namespaces="default" \
|
||||||
policies="replication-token" \
|
policies="bootstrap-token,replication-token" \
|
||||||
ttl=24h
|
ttl=24h
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -435,7 +447,7 @@ Repeat the following steps for each datacenter in the cluster:
|
||||||
|
|
||||||
1. Configure and install Consul in the primary datacenter (dc1).
|
1. Configure and install Consul in the primary datacenter (dc1).
|
||||||
|
|
||||||
<CodeBlockConfig filename="consul-dc1.yaml" linenumbers highlight="4,5,6,7,8,9,10,11,12,13,14,15,19,20,21,22,25,26,27,28,29,30,33,34">
|
<CodeBlockConfig filename="consul-dc1.yaml" linenumbers highlight="4,5,6,7,8,9,10,11,12,13,14,15,19,20,21,22,25,26,27,28,29,30,31,32,33,34">
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
global:
|
global:
|
||||||
|
@ -460,8 +472,13 @@ Repeat the following steps for each datacenter in the cluster:
|
||||||
secretName: pki/cert/ca
|
secretName: pki/cert/ca
|
||||||
federation:
|
federation:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
createFederationSecret: false
|
||||||
acls:
|
acls:
|
||||||
manageSystemACLs: true
|
manageSystemACLs: true
|
||||||
|
createReplicationToken: true
|
||||||
|
boostrapToken:
|
||||||
|
secretName: consul/data/secret/bootstrap
|
||||||
|
secretKey: token
|
||||||
replicationToken:
|
replicationToken:
|
||||||
secretName: consul/data/secret/replication
|
secretName: consul/data/secret/replication
|
||||||
secretKey: token
|
secretKey: token
|
||||||
|
@ -611,7 +628,7 @@ Repeat the following steps for each datacenter in the cluster:
|
||||||
|
|
||||||
-> **Note**: To configure Vault as the Connect CA in secondary datacenters, you need to make sure that the Root CA path is the same. The intermediate path is different for each datacenter. In the `connectCA` Helm configuration for a secondary datacenter, you can specify a `intermediatePKIPath` that is, for example, prefixed with the datacenter for which this configuration is intended (e.g. `dc2/connect-intermediate`).
|
-> **Note**: To configure Vault as the Connect CA in secondary datacenters, you need to make sure that the Root CA path is the same. The intermediate path is different for each datacenter. In the `connectCA` Helm configuration for a secondary datacenter, you can specify a `intermediatePKIPath` that is, for example, prefixed with the datacenter for which this configuration is intended (e.g. `dc2/connect-intermediate`).
|
||||||
|
|
||||||
<CodeBlockConfig filename="consul-dc2.yaml" linenumbers highlight="4,5,6,7,8,9,10,11,12,13,14,15,19,20,21,22,23,24,25,26,29,30,31,32,33,34,37,38">
|
<CodeBlockConfig filename="consul-dc2.yaml" linenumbers highlight="4,5,6,7,8,9,10,11,12,13,14,15,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,37,38">
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
global:
|
global:
|
||||||
|
@ -673,4 +690,4 @@ Repeat the following steps for each datacenter in the cluster:
|
||||||
## Next steps
|
## Next steps
|
||||||
You have completed the process of federating the secondary datacenter (dc2) with the primary datacenter (dc1) using Vault as the Secrets backend. To validate that everything is configured properly, please confirm that all pods within both datacenters are in a running state.
|
You have completed the process of federating the secondary datacenter (dc2) with the primary datacenter (dc1) using Vault as the Secrets backend. To validate that everything is configured properly, please confirm that all pods within both datacenters are in a running state.
|
||||||
|
|
||||||
For further detail on specific Consul secrets that are available to be stored in Vault, please checkout the detailed information in the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) section of the [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault) area of the Consul on Kubernetes documentation.
|
For additional information about specific Consul secrets that you can store in Vault, refer to [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) in the [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault) documentation.
|
||||||
|
|
Loading…
Reference in New Issue