我的书签
添加书签
移除书签Vault as the Secrets Backend - Data Integration
Generally, for each secret you wish to store in Vault, the process to integrate the data between Vault and Consul on Kubernetes is:
One time setup in Vault
- Store the secret in Vault.
- Create a Vault policy that authorizes the desired level of access to the secret.
Setup per Consul datacenter
- Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access.
- Update the Consul on Kubernetes helm chart.
Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have read and completed the steps in the Systems Integration section of .
Following the general integration steps, a more detailed workflow for integration of the Gossip encryption key with the Vault Secrets backend would like the following:
One time setup in Vault
- Store the secret in Vault.
- Save the gossip encryption key in Vault at the path .
- Create a Vault policy that authorizes the desired level of access to the secret.
Setup per Consul datacenter
- Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access.
- Both Consul servers and Consul clients need access to the gossip encryption key, so you create two Vault Kubernetes:
- A role called
consul-serverthat maps the Kubernetes namespace and service account name for your consul servers to thegossip-policycreated in of One time setup in Vault. - A role called
consul-clientthat maps the Kubernetes namespace and service account name for your consul clients to thegossip-policycreated in step 2 of One time setup in Vault..
- A role called
- Both Consul servers and Consul clients need access to the gossip encryption key, so you create two Vault Kubernetes:
- Update the Consul on Kubernetes helm chart.
- Configure the Vault Kubernetes auth roles created for the gossip encryption key:
- is set to the
consul-serverVault Kubernetes auth role created previously. - global.secretsBackend.vault.consulClientRole is set to the
consul-clientVault Kubernetes auth role created previously.
- is set to the
- Configure the Vault Kubernetes auth roles created for the gossip encryption key:
At the most basic level, the goal of this configuration is to authorize a Consul on Kubernetes service account to access a secret in Vault. Below is a mapping of Vault secrets and the Consul on Kubernetes service accounts that need to access them. (NOTE: Consul components refers to all other services and jobs that are not Consul servers or clients. It includes things like terminating gateways, ingress gateways, etc.)
The mapping for secondary data centers is similar with the following differences:
- There is no use of bootstrap token because ACLs would have been bootstrapped in the primary datacenter.
- ACL Partition token is mapped to both the job and the
partition-initjob service accounts. - ACL Replication token is mapped to both the
server-acl-initjob and Consul service accounts.
| Secret | Service Account For | Configurable Role in Consul k8s Helm |
|---|---|---|
| Consul server-acl-init job Consul partition-init job | global.secretsBackend.vault.manageSystemACLsRole | |
| ACL Replication token | Consul server-acl-init job Consul servers | global.secretsBackend.vault.consulServerRole |
| Consul servers Consul clients | global.secretsBackend.vault.consulServerRole | |
| Gossip encryption key | Consul servers Consul clients | global.secretsBackend.vault.consulClientRole |
| Consul snapshot agent | global.secretsBackend.vault.consulSnapshotAgentRole | |
| Consul servers Consul clients Consul components | global.secretsBackend.vault.consulServerRole global.secretsBackend.vault.consulCARole | |
| Consul servers | global.secretsBackend.vault.consulServerRole | |
| Consul controllers Consul connect inject | global.secretsBackend.vault.controllerRole |
As you can see in the table above, depending upon your needs, a Consul on Kubernetes service account could have the need to request more than one secret. In these cases, you will want to create one role for the Consul on Kubernetes service account that is mapped to multiple policies, each of which allows it access to a given secret.
Create a policy for each secret.
Gossip encryption key
gossip-policy.hcl
path "secret/data/consul/gossip" {capabilities = ["read"]}
$ vault policy write gossip-policy gossip-policy.hcl
$ vault policy write gossip-policy gossip-policy.hcl
Consul Server TLS credentials
path "pki/cert/ca" {capabilities = ["read"]
$ vault policy write ca-policy ca-policy.hcl
Enterprise License
license-policy.hcl
path "secret/data/consul/license" {capabilities = ["read"]}
$ vault policy write license-policy license-policy.hcl
$ vault policy write license-policy license-policy.hcl
Create one role that maps the Consul on Kubernetes service account to the 3 policies.
$ vault write auth/kubernetes/role/consul-server \bound_service_account_names=<Consul server service account> \bound_service_account_namespaces=<Consul installation namespace> \policies=gossip-policy,ca-policy,license-policy \
The following secrets can be stored in Vault KV secrets engine, which is meant to handle arbitrary secrets:
The following TLS certificates and keys can generated and managed by Vault the Vault PKI Engine, which is meant to handle things like certificate expiration and rotation:
