Vault as the Server TLS Certificate Provider on Kubernetes
Overview
To use Vault as the server TLS certificate provider on Kubernetes, complete a modified version of the steps outlined in the Data Integration section.
Complete the following steps once:
- Create a Vault policy that authorizes the desired level of access to the secret.
Repeat the following steps for each datacenter in the cluster:
- (Added) Configure allowed domains for PKI certificates
- Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access.
- Update the Consul on Kubernetes helm chart.
Prerequisites
Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have:
- Read and completed the steps in the Systems Integration section of Vault as a Secrets Backend.
- Read the Data Integration Overview section of Vault as a Secrets Backend.
- Complete the Bootstrapping the PKI Engine section.
Bootstrapping the PKI Engine
Issue the following commands to enable and configure the PKI Secrets Engine to server TLS certificates to Consul.
Enable the PKI Secrets Engine:
Tune the engine to enable longer TTL:
Generate the root CA:
Note: The
common_name
value is comprised of combiningglobal.datacenter
dotglobal.domain
.
Create Vault policies
To use Vault to issue Server TLS certificates, you will need to create the following:
Create a policy that allows
["create", "update"]
access to the certificate issuing URL so the Consul servers can fetch a new certificate/key pair.The path to the secret referenced in the
path
resource is the same value that you will configure in theserver.serverCert.secretName
Helm configuration (refer to Update Consul on Kubernetes Helm chart).consul-server-policy.hclApply the Vault policy by issuing the
vault policy write
CLI command:Create a policy that allows
["read"]
access to the CA URL, this is required for the Consul components to communicate with the Consul servers in order to fetch their auto-encryption certificates.Configure allowed domains for PKI certificates.
Next, a Vault role for the PKI engine will set the default certificate issuance parameters:
To generate the
<Allowed-domains-string>
use the following script as a template:Finally, Kubernetes auth roles need to be created for servers, clients, and components.
Role for Consul servers:
To find out the service account name of the Consul server, you can run:
Role for Consul clients:
To find out the service account name of the Consul client, use the command below.
Role for CA components:
The above Vault Roles will now be your Helm values for
global.secretsBackend.vault.consulServerRole
andglobal.secretsBackend.vault.consulCARole
respectively.
Update Consul on Kubernetes Helm chart
Next, configure the Consul Helm chart to use the server TLS certificates from Vault:
The vaultCASecret
is the Kubernetes secret that stores the CA Certificate that is used for Vault communication. To provide a CA, you first need to create a Kubernetes secret containing the CA. For example, you may create a secret with the Vault CA like so: