open-consul/website/content/docs/k8s/installation/vault/gossip.mdx

99 lines
3.0 KiB
Plaintext

---
layout: docs
page_title: Storing Gossip Encryption Key in Vault
description: >-
Configuring the Consul Helm chart to use gossip encryption key stored in Vault.
---
# Storing Gossip Encryption Key in Vault
To use a gossip encryption key stored in Vault we need the following:
1. Generate and store an encryption key in Vault.
1. Create policies that will allow Consul client and server to access that key.
1. Create a Kubernetes auth roles that link policies from step 2 to Kubernetes service accounts of the Consul servers and clients.
## Configuring Vault
First, generate and store the gossip key in Vault:
```shell-session
$ vault kv put secret/consul/gossip key="$(consul keygen)"
```
Next, we will need to create a policy that allows read access to this secret:
<CodeBlockConfig filename="gossip-policy.hcl">
```HCL
path "secret/data/consul/gossip" {
capabilities = ["read"]
}
```
</CodeBlockConfig>
```shell-session
$ vault policy write gossip-policy gossip-policy.hcl
```
Prior to creating Vault auth roles for the Consul servers and clients, ensure that the Vault Kubernetes auth method is enabled as described in [Vault Kubernetes Auth Method](/docs/k8s/installation/vault#vault-kubernetes-auth-method).
Next, we will create Kubernetes auth roles for the Consul server and client:
```shell-session
$ vault write auth/kubernetes/role/consul-server \
bound_service_account_names=<Consul server service account> \
bound_service_account_namespaces=<Consul installation namespace> \
policies=gossip-policy \
ttl=1h
```
```shell-session
$ vault write auth/kubernetes/role/consul-client \
bound_service_account_names=<Consul client service account> \
bound_service_account_namespaces=<Consul installation namespace> \
policies=gossip-policy \
ttl=1h
```
To find out the service account names of the Consul server and client,
you can run the following `helm template` commands with your Consul on Kubernetes values file:
- Generate Consul server service account name
```shell-session
$ helm template --release-name ${RELEASE_NAME} -s templates/server-serviceaccount.yaml hashicorp/consul
```
- Generate Consul client service account name
```shell-session
$ helm template --release-name ${RELEASE_NAME} -s templates/client-serviceaccount.yaml hashicorp/consul
```
## Deploying the Consul Helm chart
Now that we've configured Vault, you can configure the Consul Helm chart to
use the gossip key in Vault:
<CodeBlockConfig filename="values.yaml">
```yaml
global:
secretsBackend:
vault:
enabled: true
consulServerRole: consul-server
consulClientRole: consul-client
gossipEncryption:
secretName: secret/data/consul/gossip
secretKey: key
```
</CodeBlockConfig>
Note that `global.gossipEncryption.secretName` is the path of the secret in Vault.
This should be the same path as the one you'd include in your Vault policy.
`global.gossipEncryption.secretKey` is the key inside the secret data. This should be the same
as the key we passed when we created the gossip secret in Vault.