Storing the Enterprise License in Vault

To use an enterprise license stored in Vault, we will follow the steps outlined in the Data Integration section:

Store the secret in Vault.
Create a Vault policy that authorizes the desired level of access to the secret.

Setup per Consul datacenter

Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access.
Update the Consul on Kubernetes helm chart.

Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have:

Read and completed the steps in the Systems Integration section of .
Read the Data Integration Overview section of .

First, store the enterprise license in Vault:

Create a Vault policy that authorizes the desired level of access to the secret

Note: The secret path referenced by the Vault Policy below will be your global.enterpriseLicense.secretName Helm value.

path "secret/data/consul/license" {
  capabilities = ["read"]

license-policy.hcl

path "secret/data/consul/license" {
  capabilities = ["read"]
}

Apply the Vault policy by issuing the vault policy write CLI command:

$ vault policy write license-policy license-policy.hcl

Next, you will create Kubernetes auth roles for the Consul server and client:

$ vault write auth/kubernetes/role/consul-server \
    bound_service_account_names=<Consul server service account> \
    bound_service_account_namespaces=<Consul installation namespace> \
    policies=license-policy \
    ttl=1h


    bound_service_account_names=<Consul server service account> \
    bound_service_account_namespaces=<Consul installation namespace> \
    policies=license-policy \
    ttl=1h

$ vault write auth/kubernetes/role/consul-client \
    bound_service_account_names=<Consul client service account> \
    bound_service_account_namespaces=<Consul installation namespace> \
    policies=license-policy \
    ttl=1h

    bound_service_account_names=<Consul client service account> \
    bound_service_account_namespaces=<Consul installation namespace> \
    policies=license-policy \
    ttl=1h

Generate Consul server service account name

$ helm template --release-name ${RELEASE_NAME} -s templates/server-serviceaccount.yaml hashicorp/consul

Generate Consul client service account name

$ helm template --release-name ${RELEASE_NAME} -s templates/client-serviceaccount.yaml hashicorp/consul

$ helm template --release-name ${RELEASE_NAME} -s templates/client-serviceaccount.yaml hashicorp/consul

Update the Consul on Kubernetes helm chart.

Now that you have configured Vault, you can configure the Consul Helm chart to use the enterprise enterprise license in Vault:

global:
  image: hashicorp/consul-enterprise:1.12.0-ent
  secretsBackend:
    vault:
      enabled: true
      consulServerRole: consul-server
      consulClientRole: consul-client
  enterpriseLicense:
    secretName: secret/data/consul/enterpriselicense
    secretKey: key

Note that global.enterpriseLicense.secretName is the path of the secret in Vault. This should be the same path as the one you included in your Vault policy. is the key inside the secret data. This should be the same as the key you passed when creating the enterprise license secret in Vault.