Configuring a Connect CA Provider

    Consul has support for different certificate authority (CA) providers to be used with the Consul Service Mesh. Please see Connect Certificate Management for the information on the providers we currently support.

    If Connect is enabled, the built-in Consul CA is automatically enabled for the Connect CA. To configure an external CA provider via the Consul Helm chart, you need to follow three steps:

    1. Create a configuration file containing your provider information.
    2. Create a Kubernetes secret containing the configuration file.
    3. Reference the Kubernetes secret in the value in the Helm chart.

    To configure the Vault Connect Provider please see Vault as the Service Mesh Certificate Provider on Kubernetes.

    NOTE: The following instructions are only valid for Consul-k8s 0.37.0 and prior.

    Below we will go over the process for configuring Vault as the Connect CA. However, other providers can similarly be configured during initial bootstrap of the cluster by providing the appropriate and ca_provider values for the provider you’re using.

    NOTE: If using Vault as your Connect CA, it’s highly recommended to run a Consul version >= 1.8.5 that supports token auto-renewal. With this feature, if the Vault token is then Consul will automatically renew the token periodically. Without this feature, you will need to manually rotate the Vault token before it expires.

    To configure Vault as a CA provider for Consul Connect, first, create a provider configuration JSON file. Please refer to for the configuration options. You will need to provide a Vault token to the property. Please refer to these docs for the permissions that the token needs to have. This token should be .

    1. kubectl create secret generic vault-ca --from-file vault.ca=/path/to/your/vault/ca

    And then reference it like this in the provider configuration:

    1. {
    2. "connect": [
    3. {
    4. "ca_config": [
    5. {
    6. "address": "https://vault:8200",
    7. "intermediate_pki_path": "dc1/connect-intermediate",
    8. "root_pki_path": "connect-root",
    9. "token": "s.VgQvaXl8xGFO1RUxAPbPbsfN",
    10. "ca_file": "/consul/userconfig/vault-ca/vault.ca"
    11. }
    12. ],
    13. "ca_provider": "vault"
    14. }
    15. ]
    16. }

    vault-config.json

    1. {
    2. "connect": [
    3. {
    4. "ca_config": [
    5. {
    6. "address": "https://vault:8200",
    7. "intermediate_pki_path": "dc1/connect-intermediate",
    8. "root_pki_path": "connect-root",
    9. "token": "s.VgQvaXl8xGFO1RUxAPbPbsfN",
    10. "ca_file": "/consul/userconfig/vault-ca/vault.ca"
    11. }
    12. ],
    13. "ca_provider": "vault"
    14. }
    15. }

    This example configuration file is pointing to a Vault instance running in the same Kubernetes cluster, which has been deployed with TLS enabled. Note that the ca_file is pointing to the file location based on the Kubernetes secret for the Vault CA that we have created before. We will provide that secret later in the Helm values for our Consul cluster.

    NOTE: If you have used Kubernetes CA to sign Vault’s certificate, such as shown in Standalone Server with TLS, you don’t need to create a Kubernetes secret with Vault’s CA and can reference the CA directly by setting ca_file to /var/run/secrets/kubernetes.io/serviceaccount/ca.crt.

    Next, create a Kubernetes secret with this configuration file.

    1. $ kubectl create secret generic vault-config --from-file=config=vault-config.json

    We will provide this secret and the Vault CA secret, to the Consul server via the server.extraVolumes Helm value.

    1. global:
    2. name: consul
    3. extraVolumes:
    4. - type: secret
    5. name: vault-config
    6. load: true
    7. items:
    8. - key: config
    9. path: vault-config.json
    10. - type: secret
    11. name: vault-ca
    12. load: false
    13. connectInject:
    14. enabled: true

    config.yaml

    1. global:
    2. name: consul
    3. server:
    4. extraVolumes:
    5. - type: secret
    6. name: vault-config
    7. load: true
    8. items:
    9. - key: config
    10. path: vault-config.json
    11. - type: secret
    12. name: vault-ca
    13. load: false
    14. connectInject:
    15. enabled: true

    Finally, the Helm chart using the above config file:

    1. $ helm install consul --values config.yaml hashicorp/consul

    Verify that the CA provider is set correctly:

    1. $ kubectl exec consul-server-0 -- curl --silent http://localhost:8500/v1/connect/ca/configuration\?pretty
    2. {
    3. "Provider": "vault",
    4. "Config": {
    5. "Address": "https://vault:8200",
    6. "CAFile": "/consul/userconfig/vault-server-tls/vault.ca",
    7. "IntermediateCertTTL": "8760h",
    8. "LeafCertTTL": "72h",
    9. "RootPKIPath": "connect-root",
    10. "Token": "s.VgQvaXl8xGFO1RUxAPbPbsfN"
    11. },
    12. "ForceWithoutCrossSigning": false,
    13. "CreateIndex": 5,
    14. "ModifyIndex": 5
    15. }
    1. $ kubectl exec consul-server-0 -- curl --silent http://localhost:8500/v1/connect/ca/configuration\?pretty
    2. {
    3. "Provider": "vault",
    4. "Config": {
    5. "Address": "https://vault:8200",
    6. "CAFile": "/consul/userconfig/vault-server-tls/vault.ca",
    7. "IntermediateCertTTL": "8760h",
    8. "IntermediatePKIPath": "connect-intermediate",
    9. "LeafCertTTL": "72h",
    10. "RootPKIPath": "connect-root",
    11. "Token": "s.VgQvaXl8xGFO1RUxAPbPbsfN"
    12. },
    13. "State": null,
    14. "ForceWithoutCrossSigning": false,
    15. "CreateIndex": 5,
    16. "ModifyIndex": 5
    17. }

    To configure Vault as the Connect CA in secondary datacenters, you need to make sure that the Root CA is the same, but the intermediate is different for each datacenter. In the connect configuration for a secondary datacenter, you can specify a intermediate_pki_path that is, for example, prefixed with the datacenter for which this configuration is intended. You will similarly need to create a Vault token and a Kubernetes secret with Vault’s CA in each secondary Kubernetes cluster.

    1. {
    2. "connect": [
    3. {
    4. "ca_config": [
    5. {
    6. "address": "https://vault:8200",
    7. "intermediate_pki_path": "dc2/connect-intermediate",
    8. "root_pki_path": "connect-root",
    9. "token": "s.VgQvaXl8xGFO1RUxAPbPbsfN",
    10. "ca_file": "/consul/userconfig/vault-ca/vault.ca"
    11. }
    12. ],
    13. "ca_provider": "vault"
    14. }
    15. }

    Note that all secondary datacenters need to have access to the same Vault instance as the primary.

    If running Consul < 1.8.5 or using a Vault token that is not renewable then you will need to manually renew or rotate the Vault token before it expires.

    Rotating Vault Token

    The ca_config and options defined in the Consul agent configuration are only used when initially bootstrapping the cluster. Once the cluster is running, subsequent changes to the ca_provider config are ignored–even if consul reload is run or the servers are restarted.

    Renewing Vault Token

    To renew the Vault token, use the vault token renew CLI command or API.