Consul WAN Fed with Vault Secrets Backend document updates (#16597)

* Consul WAN Fed with Vault Secrets Backend document updates

* Corrected dc1-consul.yaml and dc2-consul.yaml file highlights

* Update website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

---------

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
This commit is contained in:
natemollica-dev 2023-03-10 12:45:32 -08:00 committed by GitHub
parent 7f7f28e69c
commit c76598234c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 22 additions and 5 deletions

View File

@ -311,12 +311,16 @@ Repeat the following steps for each datacenter in the cluster:
1. Update the Consul on Kubernetes helm chart. 1. Update the Consul on Kubernetes helm chart.
### Secrets and Policies ### Secrets and Policies
1. Store the ACL Replication Token, Gossip Encryption Key, and Root CA certificate secrets in Vault. 1. Store the ACL bootstrap and replication tokens, gossip encryption key, and root CA certificate secrets in Vault.
```shell-session ```shell-session
$ vault kv put consul/secret/gossip key="$(consul keygen)" $ vault kv put consul/secret/gossip key="$(consul keygen)"
``` ```
```shell-session
$ vault kv put consul/secret/bootstrap token="$(uuidgen | tr '[:upper:]' '[:lower:]')"
```
```shell-session ```shell-session
$ vault kv put consul/secret/replication token="$(uuidgen | tr '[:upper:]' '[:lower:]')" $ vault kv put consul/secret/replication token="$(uuidgen | tr '[:upper:]' '[:lower:]')"
``` ```
@ -334,6 +338,14 @@ Repeat the following steps for each datacenter in the cluster:
EOF EOF
``` ```
```shell-session
$ vault policy write bootstrap-token - <<EOF
path "consul/data/secret/bootstrap" {
capabilities = ["read"]
}
EOF
```
```shell-session ```shell-session
$ vault policy write replication-token - <<EOF $ vault policy write replication-token - <<EOF
path "consul/data/secret/replication" { path "consul/data/secret/replication" {
@ -409,7 +421,7 @@ Repeat the following steps for each datacenter in the cluster:
$ vault write auth/kubernetes-dc1/role/server-acl-init \ $ vault write auth/kubernetes-dc1/role/server-acl-init \
bound_service_account_names=consul-server-acl-init \ bound_service_account_names=consul-server-acl-init \
bound_service_account_namespaces="default" \ bound_service_account_namespaces="default" \
policies="replication-token" \ policies="bootstrap-token,replication-token" \
ttl=24h ttl=24h
``` ```
@ -435,7 +447,7 @@ Repeat the following steps for each datacenter in the cluster:
1. Configure and install Consul in the primary datacenter (dc1). 1. Configure and install Consul in the primary datacenter (dc1).
<CodeBlockConfig filename="consul-dc1.yaml" linenumbers highlight="4,5,6,7,8,9,10,11,12,13,14,15,19,20,21,22,25,26,27,28,29,30,33,34"> <CodeBlockConfig filename="consul-dc1.yaml" linenumbers highlight="4,5,6,7,8,9,10,11,12,13,14,15,19,20,21,22,25,26,27,28,29,30,31,32,33,34">
```yaml ```yaml
global: global:
@ -460,8 +472,13 @@ Repeat the following steps for each datacenter in the cluster:
secretName: pki/cert/ca secretName: pki/cert/ca
federation: federation:
enabled: true enabled: true
createFederationSecret: false
acls: acls:
manageSystemACLs: true manageSystemACLs: true
createReplicationToken: true
boostrapToken:
secretName: consul/data/secret/bootstrap
secretKey: token
replicationToken: replicationToken:
secretName: consul/data/secret/replication secretName: consul/data/secret/replication
secretKey: token secretKey: token
@ -611,7 +628,7 @@ Repeat the following steps for each datacenter in the cluster:
-> **Note**: To configure Vault as the Connect CA in secondary datacenters, you need to make sure that the Root CA path is the same. The intermediate path is different for each datacenter. In the `connectCA` Helm configuration for a secondary datacenter, you can specify a `intermediatePKIPath` that is, for example, prefixed with the datacenter for which this configuration is intended (e.g. `dc2/connect-intermediate`). -> **Note**: To configure Vault as the Connect CA in secondary datacenters, you need to make sure that the Root CA path is the same. The intermediate path is different for each datacenter. In the `connectCA` Helm configuration for a secondary datacenter, you can specify a `intermediatePKIPath` that is, for example, prefixed with the datacenter for which this configuration is intended (e.g. `dc2/connect-intermediate`).
<CodeBlockConfig filename="consul-dc2.yaml" linenumbers highlight="4,5,6,7,8,9,10,11,12,13,14,15,19,20,21,22,23,24,25,26,29,30,31,32,33,34,37,38"> <CodeBlockConfig filename="consul-dc2.yaml" linenumbers highlight="4,5,6,7,8,9,10,11,12,13,14,15,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,37,38">
```yaml ```yaml
global: global:
@ -673,4 +690,4 @@ Repeat the following steps for each datacenter in the cluster:
## Next steps ## Next steps
You have completed the process of federating the secondary datacenter (dc2) with the primary datacenter (dc1) using Vault as the Secrets backend. To validate that everything is configured properly, please confirm that all pods within both datacenters are in a running state. You have completed the process of federating the secondary datacenter (dc2) with the primary datacenter (dc1) using Vault as the Secrets backend. To validate that everything is configured properly, please confirm that all pods within both datacenters are in a running state.
For further detail on specific Consul secrets that are available to be stored in Vault, please checkout the detailed information in the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) section of the [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault) area of the Consul on Kubernetes documentation. For additional information about specific Consul secrets that you can store in Vault, refer to [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) in the [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault) documentation.