Storing Gossip Encryption Key in Vault

1. Store the secret in Vault.
2. Create a Vault policy that authorizes the desired level of access to the secret.

Setup per Consul datacenter

1. Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access.
2. Update the Consul on Kubernetes helm chart.

Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have:

1. Read and completed the steps in the section of Vault as a Secrets Backend.
2. Read the section of Vault as a Secrets Backend.

First, generate and store the gossip key in Vault:

Create a Vault policy that authorizes the desired level of access to the secret

Note: The secret path referenced by the Vault Policy below will be your global.gossipEncryption.secretName Helm value.

Next, we will need to create a policy that allows read access to this secret:

path "secret/data/consul/gossip" {
}

gossip-policy.hcl

path "secret/data/consul/gossip" {
  capabilities = ["read"]
}

Apply the Vault policy by issuing the vault policy write CLI command:

$ vault policy write gossip-policy gossip-policy.hcl

Next, we will create Kubernetes auth roles for the Consul server and client:

$ vault write auth/kubernetes/role/consul-server \
    bound_service_account_names=<Consul server service account> \
    bound_service_account_namespaces=<Consul installation namespace> \
    policies=gossip-policy \
    ttl=1h

    bound_service_account_names=<Consul server service account> \
    bound_service_account_namespaces=<Consul installation namespace> \
    policies=gossip-policy \
    ttl=1h

$ vault write auth/kubernetes/role/consul-client \
    bound_service_account_names=<Consul client service account> \
    bound_service_account_namespaces=<Consul installation namespace> \
    ttl=1h

$ vault write auth/kubernetes/role/consul-client \
    bound_service_account_names=<Consul client service account> \
    bound_service_account_namespaces=<Consul installation namespace> \
    policies=gossip-policy \
    ttl=1h

To find out the service account names of the Consul server and client, you can run the following commands with your Consul on Kubernetes values file:

• $ helm template --release-name ${RELEASE_NAME} -s templates/server-serviceaccount.yaml hashicorp/consul

• Generate Consul client service account name

  $ helm template --release-name ${RELEASE_NAME} -s templates/client-serviceaccount.yaml hashicorp/consul

  $ helm template --release-name ${RELEASE_NAME} -s templates/client-serviceaccount.yaml hashicorp/consul

Update the Consul on Kubernetes helm chart

Now that we’ve configured Vault, you can configure the Consul Helm chart to use the gossip key in Vault:

global:
  secretsBackend:
    vault:
      enabled: true
      consulServerRole: consul-server
      consulClientRole: consul-client
  gossipEncryption:
    secretKey: key

values.yaml