Type '/' to Search

»Storing the Snapshot Agent Config in Vault

»Prerequisites

Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have:

  1. Read and completed the steps in the Systems Integration section of Vault as a Secrets Backend.
  2. Read the Data Integration Overview section of Vault as a Secrets Backend.

»Overview

To use an ACL replication token stored in Vault, we will follow the steps outlined in the Data Integration section:

»One time setup in Vault

  1. Store the secret in Vault.
  2. Create a Vault policy that authorizes the desired level of access to the secret.

»Setup per Consul datacenter

  1. Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access.
  2. Configure the Vault Kubernetes auth role in the Consul on Kubernetes helm chart.

»One time setup in Vault

»Store the Secret in Vault

First, store the snapshot agent config in Vault:

$ vault kv put secret/consul/snapshot-agent-config key="<snapshot agent JSON config>"

$ vault kv put secret/consul/snapshot-agent-config key="<snapshot agent JSON config>"

»Create a Vault policy that authorizes the desired level of access to the secret

Note: The secret path referenced by the Vault Policy below will be your client.snapshotAgent.configSecret.secretName Helm value.

Next, you will need to create a policy that allows read access to this secret:

path "secret/data/consul/snapshot-agent-config" {
  capabilities = ["read"]
}
snapshot-agent-config-policy.hcl
path "secret/data/consul/snapshot-agent-config" {
  capabilities = ["read"]
}

Apply the Vault policy by issuing the vault policy write CLI command:

$ vault policy write snapshot-agent-config-policy snapshot-agent-config-policy.hcl

$ vault policy write snapshot-agent-config-policy snapshot-agent-config-policy.hcl

»Setup per Consul datacenter

»Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access

Next, you will create a Kubernetes auth role for the Consul snapshot agent:

$ vault write auth/kubernetes/role/consul-server \
    bound_service_account_names=<Consul snapshot agent service account> \
    bound_service_account_namespaces=<Consul installation namespace> \
    policies=snapshot-agent-config-policy \
    ttl=1h

$ vault write auth/kubernetes/role/consul-server \
    bound_service_account_names=<Consul snapshot agent service account> \
    bound_service_account_namespaces=<Consul installation namespace> \
    policies=snapshot-agent-config-policy \
    ttl=1h

To find out the service account name of the Consul snapshot agent, you can run the following helm template command with your Consul on Kubernetes values file:

$ helm template --release-name ${RELEASE_NAME} -s templates/client-snapshot-agent-serviceaccount.yaml hashicorp/consul

$ helm template --release-name ${RELEASE_NAME} -s templates/client-snapshot-agent-serviceaccount.yaml hashicorp/consul

»Configure the Vault Kubernetes auth role in the Consul on Kubernetes helm chart

Now that you have configured Vault, you can configure the Consul Helm chart to use the snapshot agent config in Vault:

global:
  secretsBackend:
    vault:
      enabled: true
      consulSnapshotAgentRole: snapshot-agent
client:
  snapshotAgent:
    configSecret:
      secretName: secret/data/consul/snapshot-agent-config
      secretKey: key
values.yaml
global:
  secretsBackend:
    vault:
      enabled: true
      consulSnapshotAgentRole: snapshot-agent
client:
  snapshotAgent:
    configSecret:
      secretName: secret/data/consul/snapshot-agent-config
      secretKey: key

Note that client.snapshotAgent.configSecret.secretName is the path of the secret in Vault. This should be the same path as the one you included in your Vault policy. client.snapshotAgent.configSecret.secretKey is the key inside the secret data. This should be the same as the key you passed when creating the snapshot agent config secret in Vault.