Backport of Fix formatting for webhook-certs Consul tutorial into release/1.16.x (#17820)

* no-op commit due to failed cherry-picking

* Fix formatting for webhook-certs Consul tutorial (#17810)

* Fix formatting for webhook-certs Consul tutorial
* Make a small grammar change to also pick up whitespace changes necessary for formatting

---------

Co-authored-by: David Yu <dyu@hashicorp.com>

---------

Co-authored-by: temp <temp@hashicorp.com>
Co-authored-by: Steven Zamborsky <97125550+stevenzamborsky@users.noreply.github.com>
Co-authored-by: David Yu <dyu@hashicorp.com>
This commit is contained in:
hc-github-team-consul-core 2023-06-22 02:21:09 -04:00 committed by GitHub
parent e949c3fccc
commit d29410853a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 36 additions and 35 deletions

View File

@ -14,16 +14,16 @@ In a Consul Helm chart configuration that does not use Vault, `webhook-cert-mana
When Vault is configured as the controller and connect inject Webhook Certificate Provider on Kubernetes: When Vault is configured as the controller and connect inject Webhook Certificate Provider on Kubernetes:
- `webhook-cert-manager` is no longer deployed to the cluster. - `webhook-cert-manager` is no longer deployed to the cluster.
- controller and connect inject each get their webhook certificates from its own Vault PKI mount via the injected Vault Agent. - Controller and connect inject each get their webhook certificates from its own Vault PKI mount via the injected Vault Agent.
- controller and connect inject each need to be configured with its own Vault Role that has necessary permissions to receive certificates from its respective PKI mount. - Controller and connect inject each need to be configured with its own Vault Role that has necessary permissions to receive certificates from its respective PKI mount.
- controller and connect inject each locally update its own `mutatingwebhookconfiguration` so that Kubernetes can relay events. - Controller and connect inject each locally update its own `mutatingwebhookconfiguration` so that Kubernetes can relay events.
- Vault manages certificate rotation and rotates certificates to each webhook. - Vault manages certificate rotation and rotates certificates to each webhook.
To use Vault as the controller and connect inject Webhook Certificate Provider, we will need to modify the steps outlined in the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) section: To use Vault as the controller and connect inject Webhook Certificate Provider, we will need to modify the steps outlined in the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) section:
These following steps will be repeated for each datacenter: These following steps will be repeated for each datacenter:
1. Create a Vault policy that authorizes the desired level of access to the secret. 1. Create a Vault policy that authorizes the desired level of access to the secret.
1. (Added) Create Vault PKI roles for controller and connect inject each that establish the domains that each is allowed to issue certificates for. 1. (Added) Create Vault PKI roles for controller and connect inject that each establish the domains that each is allowed to issue certificates for.
1. Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access. 1. Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access.
1. Configure the Vault Kubernetes auth roles in the Consul on Kubernetes helm chart. 1. Configure the Vault Kubernetes auth roles in the Consul on Kubernetes helm chart.
@ -112,6 +112,7 @@ this is required for the Consul components to communicate with the Consul server
} }
EOF EOF
``` ```
1. Configure allowed domains for PKI certificates. 1. Configure allowed domains for PKI certificates.
```shell-session ```shell-session
@ -153,10 +154,10 @@ this is required for the Consul components to communicate with the Consul server
1. Finally, Kubernetes auth roles need to be created for controller and connect inject webhooks. 1. Finally, Kubernetes auth roles need to be created for controller and connect inject webhooks.
The path to the secret referenced in the `path` resource is the same values that you will configure in the `global.secretsBackend.vault.controllerRole` and `global.secretsBackend.vault.connectInjectRole` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)). The path to the secret referenced in the `path` resource is the same values that you will configure in the `global.secretsBackend.vault.controllerRole` and `global.secretsBackend.vault.connectInjectRole` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)).
Role for Consul controller webhooks: Role for Consul controller webhooks:
```shell-session ```shell-session
$ vault write auth/kubernetes/role/controller-role \ $ vault write auth/kubernetes/role/controller-role \
bound_service_account_names=<Consul controller service account> \ bound_service_account_names=<Consul controller service account> \