Backport of Fix formatting for webhook-certs Consul tutorial into release/1.16.x (#17820)
* no-op commit due to failed cherry-picking * Fix formatting for webhook-certs Consul tutorial (#17810) * Fix formatting for webhook-certs Consul tutorial * Make a small grammar change to also pick up whitespace changes necessary for formatting --------- Co-authored-by: David Yu <dyu@hashicorp.com> --------- Co-authored-by: temp <temp@hashicorp.com> Co-authored-by: Steven Zamborsky <97125550+stevenzamborsky@users.noreply.github.com> Co-authored-by: David Yu <dyu@hashicorp.com>
This commit is contained in:
parent
e949c3fccc
commit
d29410853a
|
@ -14,16 +14,16 @@ In a Consul Helm chart configuration that does not use Vault, `webhook-cert-mana
|
||||||
|
|
||||||
When Vault is configured as the controller and connect inject Webhook Certificate Provider on Kubernetes:
|
When Vault is configured as the controller and connect inject Webhook Certificate Provider on Kubernetes:
|
||||||
- `webhook-cert-manager` is no longer deployed to the cluster.
|
- `webhook-cert-manager` is no longer deployed to the cluster.
|
||||||
- controller and connect inject each get their webhook certificates from its own Vault PKI mount via the injected Vault Agent.
|
- Controller and connect inject each get their webhook certificates from its own Vault PKI mount via the injected Vault Agent.
|
||||||
- controller and connect inject each need to be configured with its own Vault Role that has necessary permissions to receive certificates from its respective PKI mount.
|
- Controller and connect inject each need to be configured with its own Vault Role that has necessary permissions to receive certificates from its respective PKI mount.
|
||||||
- controller and connect inject each locally update its own `mutatingwebhookconfiguration` so that Kubernetes can relay events.
|
- Controller and connect inject each locally update its own `mutatingwebhookconfiguration` so that Kubernetes can relay events.
|
||||||
- Vault manages certificate rotation and rotates certificates to each webhook.
|
- Vault manages certificate rotation and rotates certificates to each webhook.
|
||||||
|
|
||||||
To use Vault as the controller and connect inject Webhook Certificate Provider, we will need to modify the steps outlined in the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) section:
|
To use Vault as the controller and connect inject Webhook Certificate Provider, we will need to modify the steps outlined in the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) section:
|
||||||
|
|
||||||
These following steps will be repeated for each datacenter:
|
These following steps will be repeated for each datacenter:
|
||||||
1. Create a Vault policy that authorizes the desired level of access to the secret.
|
1. Create a Vault policy that authorizes the desired level of access to the secret.
|
||||||
1. (Added) Create Vault PKI roles for controller and connect inject each that establish the domains that each is allowed to issue certificates for.
|
1. (Added) Create Vault PKI roles for controller and connect inject that each establish the domains that each is allowed to issue certificates for.
|
||||||
1. Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access.
|
1. Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access.
|
||||||
1. Configure the Vault Kubernetes auth roles in the Consul on Kubernetes helm chart.
|
1. Configure the Vault Kubernetes auth roles in the Consul on Kubernetes helm chart.
|
||||||
|
|
||||||
|
@ -112,6 +112,7 @@ this is required for the Consul components to communicate with the Consul server
|
||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
```
|
```
|
||||||
|
|
||||||
1. Configure allowed domains for PKI certificates.
|
1. Configure allowed domains for PKI certificates.
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
|
@ -153,10 +154,10 @@ this is required for the Consul components to communicate with the Consul server
|
||||||
|
|
||||||
1. Finally, Kubernetes auth roles need to be created for controller and connect inject webhooks.
|
1. Finally, Kubernetes auth roles need to be created for controller and connect inject webhooks.
|
||||||
|
|
||||||
|
|
||||||
The path to the secret referenced in the `path` resource is the same values that you will configure in the `global.secretsBackend.vault.controllerRole` and `global.secretsBackend.vault.connectInjectRole` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)).
|
The path to the secret referenced in the `path` resource is the same values that you will configure in the `global.secretsBackend.vault.controllerRole` and `global.secretsBackend.vault.connectInjectRole` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)).
|
||||||
|
|
||||||
Role for Consul controller webhooks:
|
Role for Consul controller webhooks:
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ vault write auth/kubernetes/role/controller-role \
|
$ vault write auth/kubernetes/role/controller-role \
|
||||||
bound_service_account_names=<Consul controller service account> \
|
bound_service_account_names=<Consul controller service account> \
|
||||||
|
|
Loading…
Reference in New Issue