Vault as the Service Mesh Certificate Provider on Kubernetes

    Note: This feature requires Consul 1.11 or higher. As of v1.11, Consul allows using Kubernetes auth methods to configure Connect CA. This allows for automatic token rotation once the renewal is no longer possible.

    To use an Vault as the Service Mesh Certificate Provider on Kubernetes, we will need to modify the steps outlined in the Data Integration section:

    Setup per Consul datacenter

    1. Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access.
    2. Update the Consul on Kubernetes helm chart.

    Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have:

    1. Read and completed the steps in the Systems Integration section of .
    2. Read the Data Integration Overview section of .

    Create a Vault policy that authorizes the desired level of access to the secret

    To configure for the Consul service mesh certificates, you will first need to decide on the type of policy that is suitable for you. To see the permissions that Consul would need in Vault, please see Vault ACL policies documentation.

    Next, you will create Kubernetes auth roles for the Consul servers:

    2.     bound_service_account_names=<Consul server service account> \
    3.     bound_service_account_namespaces=<Consul installation namespace> \
    4.     policies=<Connect CA policy> \
    5.     ttl=1h

    To find out the service account name of the Consul server, you can run:

    1. $ helm template --release-name ${RELEASE_NAME} --show-only templates/server-serviceaccount.yaml hashicorp/consul

    Update the Consul on Kubernetes helm chart

    values.yaml

    1. global:
    2.     vault:
    4.       consulServerRole: consul-server
    5.       consulClientRole: consul-client
    6.       consulCARole: consul-ca
    7.       connectCA:
    8.         address: <the address of the Vault server>
    9.         rootPKIPath: <the path to root PKI>
    10.         intermediatePKIPath: <the path to intermediate PKI>
    11.       ca:

    The address you provide to the connectCA configuration can be a Kubernetes DNS address if the Vault cluster is running the same Kubernetes cluster. The rootPKIPath and intermediatePKIPath should be the same as the ones defined in your Connect CA policy. Behind the scenes, Consul will authenticate to Vault using a Kubernetes service account using the Kubernetes auth method and will use the Vault token for any API calls to Vault. If the Vault token can not be renewed, Consul will re-authenticate to generate a new Vault token.

      To configure Vault as the Connect CA in secondary datacenters, you need to make sure that the Root CA path is the same, but the intermediate is different for each datacenter. In the connectCA Helm configuration for a secondary datacenter, you can specify a intermediatePKIPath that is, for example, prefixed with the datacenter for which this configuration is intended (e.g. ).