From 04d2b877cd761cbf27dcad63936d579bf6fed653 Mon Sep 17 00:00:00 2001 From: Krastin Krastev Date: Fri, 22 Dec 2023 12:20:51 +0000 Subject: [PATCH 01/11] backport of commit 365fcd0148e8cb5f57523d88cc7246593386dd9a --- .../k8s/deployment-configurations/vault/systems-integration.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx b/website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx index 9c5ac5c5baa0..d7aa34b69424 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx @@ -34,7 +34,7 @@ The following secrets can be stored in Vault KV secrets engine, which is meant t In order to store any of these secrets, we must enable the [Vault KV secrets engine - Version 2](https://www.vaultproject.io/docs/secrets/kv/kv-v2). ```shell-session -$ vault secrets enable -path=consul kv-v2 +$ vault secrets enable -path=consul-kv kv-v2 ``` ## Vault PKI Engine From cc50aca4e31fdd357da863d56b1a463ee1da246f Mon Sep 17 00:00:00 2001 From: Krastin Krastev Date: Fri, 22 Dec 2023 13:29:28 +0100 Subject: [PATCH 02/11] docs/consul: rename the Vault secret engine for Consul integration (#20049) * rename the KV secret engine * update WAN federation guide * update snapshot-agent doc * update replication doc * update partition doc * update gossip doc * update ent-license doc * update bootstrap-token doc * update index doc * fix license kv path * vault kv path explanation for /data/ * Update website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> --------- Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> --- .../vault/wan-federation.mdx | 36 +++++++++++++------ 1 file changed, 26 insertions(+), 10 deletions(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx b/website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx index ad31da349c55..d6ce2f2d38a2 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx @@ -129,7 +129,7 @@ Repeat the following steps for each datacenter in the cluster: 1. Enable [Vault KV secrets engine - Version 2](https://www.vaultproject.io/docs/secrets/kv/kv-v2) in order to store the [Gossip Encryption Key](/docs/k8s/helm#v-global-acls-replicationtoken) and the ACL Replication token ([`global.acls.replicationToken`](/docs/k8s/helm#v-global-acls-replicationtoken)). ```shell-session - $ vault secrets enable -path=consul kv-v2 + $ vault secrets enable -path=consul-kv kv-v2 ``` 1. Enable Vault PKI Engine in order to leverage Vault for issuing Consul Server TLS certificates. @@ -314,12 +314,16 @@ Repeat the following steps for each datacenter in the cluster: 1. Store the ACL Replication Token, Gossip Encryption Key, and Root CA certificate secrets in Vault. ```shell-session - $ vault kv put consul/secret/gossip key="$(consul keygen)" + $ vault kv put consul-kv/secret/gossip key="$(consul keygen)" ``` ```shell-session - $ vault kv put consul/secret/replication token="$(uuidgen | tr '[:upper:]' '[:lower:]')" - ``` + $ vault kv put consul-kv/secret/bootstrap token="$(uuidgen | tr '[:upper:]' '[:lower:]')" + ``` + + ```shell-session + $ vault kv put consul-kv/secret/replication token="$(uuidgen | tr '[:upper:]' '[:lower:]')" + ``` ```shell-session $ vault write pki/root/generate/internal common_name="Consul CA" ttl=87600h ``` @@ -328,7 +332,15 @@ Repeat the following steps for each datacenter in the cluster: ```shell-session $ vault policy write gossip - < Date: Fri, 22 Dec 2023 13:34:22 +0100 Subject: [PATCH 03/11] update snapshot-agent doc --- .../vault/data-integration/snapshot-agent-config.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config.mdx index 2e1500a680e1..f18d2ec53978 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config.mdx @@ -29,7 +29,7 @@ Prior to setting up the data integration between Vault and Consul on Kubernetes, First, store the snapshot agent config in Vault: ```shell-session -$ vault kv put secret/consul/snapshot-agent-config key="" +$ vault kv put consul-kv/secret/snapshot-agent-config key="" ``` ## Create Vault policy @@ -41,7 +41,7 @@ The path to the secret referenced in the `path` resource is the same values that ```HCL -path "secret/data/consul/snapshot-agent-config" { +path "consul-kv/data/secret/snapshot-agent-config" { capabilities = ["read"] } ``` @@ -89,7 +89,7 @@ global: client: snapshotAgent: configSecret: - secretName: secret/data/consul/snapshot-agent-config + secretName: consul-kv/data/secret/snapshot-agent-config secretKey: key ``` From d7ae063752b1421411f37d3426dbc56b7ff6b5ad Mon Sep 17 00:00:00 2001 From: Krastin Krastev Date: Fri, 22 Dec 2023 13:35:51 +0100 Subject: [PATCH 04/11] update replication doc --- .../vault/data-integration/replication-token.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/replication-token.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/replication-token.mdx index 04d20e0f7108..95c19c70ce75 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/replication-token.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/replication-token.mdx @@ -29,7 +29,7 @@ Prior to setting up the data integration between Vault and Consul on Kubernetes, First, generate and store the ACL replication token in Vault. You will only need to perform this action once: ```shell-session -$ vault kv put secret/consul/replication-token token="$(uuidgen | tr '[:upper:]' '[:lower:]')" +$ vault kv put consul-kv/secret/replication-token token="$(uuidgen | tr '[:upper:]' '[:lower:]')" ``` ## Create Vault policy @@ -41,7 +41,7 @@ The path to the secret referenced in the `path` resource is the same value that ```HCL -path "secret/data/consul/replication-token" { +path "consul-kv/data/secret/replication-token" { capabilities = ["read"] } ``` @@ -88,7 +88,7 @@ global: manageSystemACLsRole: consul-server-acl-init acls: replicationToken: - secretName: secret/data/consul/replication-token + secretName: consul-kv/data/secret/replication-token secretKey: token ``` From b7612e0b11d5f46af126405da10c853f8d0422f6 Mon Sep 17 00:00:00 2001 From: Krastin Krastev Date: Fri, 22 Dec 2023 13:36:48 +0100 Subject: [PATCH 05/11] update partition doc --- .../vault/data-integration/partition-token.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx index 5770054faa53..ec479077b7b1 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx @@ -30,7 +30,7 @@ Prior to setting up the data integration between Vault and Consul on Kubernetes, First, generate and store the ACL partition token in Vault. You will only need to perform this action once: ```shell-session -$ vault kv put secret/consul/partition-token token="$(uuidgen | tr '[:upper:]' '[:lower:]')" +$ vault kv put consul-kv/secret/partition-token token="$(uuidgen | tr '[:upper:]' '[:lower:]')" ``` ## Create Vault policy @@ -42,7 +42,7 @@ The path to the secret referenced in the `path` resource is the same value that ```HCL -path "secret/data/consul/partition-token" { +path "consul-kv/data/secret/consul/partition-token" { capabilities = ["read"] } ``` @@ -90,7 +90,7 @@ global: adminPartitionsRole: consul-partition-init acls: partitionToken: - secretName: secret/data/consul/partition-token + secretName: consul-kv/data/secret/partition-token secretKey: token ``` From 22a0dd8f2cb2c41a774d0bb857a664700f1b4f74 Mon Sep 17 00:00:00 2001 From: Krastin Krastev Date: Fri, 22 Dec 2023 13:37:55 +0100 Subject: [PATCH 06/11] update gossip doc --- .../vault/data-integration/gossip.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/gossip.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/gossip.mdx index 52955a100b25..1daf4c672e28 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/gossip.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/gossip.mdx @@ -29,7 +29,7 @@ Prior to setting up the data integration between Vault and Consul on Kubernetes, First, generate and store the gossip key in Vault. You will only need to perform this action once: ```shell-session -$ vault kv put secret/consul/gossip key="$(consul keygen)" +$ vault kv put consul-kv/secret/gossip key="$(consul keygen)" ``` ## Create Vault policy @@ -40,7 +40,7 @@ The path to the secret referenced in the `path` resource is the same value that ```HCL -path "secret/data/consul/gossip" { +path "consul-kv/data/secret/gossip" { capabilities = ["read"] } ``` @@ -101,7 +101,7 @@ global: consulServerRole: consul-server consulClientRole: consul-client gossipEncryption: - secretName: secret/data/consul/gossip + secretName: consul-kv/data/secret/gossip secretKey: key ``` From 588d4af87776fad588115fbbcd555a58877e48a6 Mon Sep 17 00:00:00 2001 From: Krastin Krastev Date: Fri, 22 Dec 2023 13:38:55 +0100 Subject: [PATCH 07/11] update ent-license doc --- .../vault/data-integration/enterprise-license.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx index f0afb0c9b97e..2895305d51d3 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx @@ -29,7 +29,7 @@ Prior to setting up the data integration between Vault and Consul on Kubernetes, First, store the enterprise license in Vault: ```shell-session -$ vault kv put secret/consul/license key="" +$ vault kv put consul-kv/secret/license key="" ``` ## Create Vault policy @@ -41,7 +41,7 @@ The path to the secret referenced in the `path` resource is the same value that ```HCL -path "secret/data/consul/license" { +path "consul-kv/data/secret/license" { capabilities = ["read"] } ``` @@ -103,7 +103,7 @@ global: consulServerRole: consul-server consulClientRole: consul-client enterpriseLicense: - secretName: secret/data/consul/enterpriselicense + secretName: consul-kv/data/secret/enterpriselicense secretKey: key ``` From a6ef5612a9e24f003e006a51228eef1a42493794 Mon Sep 17 00:00:00 2001 From: Krastin Krastev Date: Fri, 22 Dec 2023 13:40:52 +0100 Subject: [PATCH 08/11] update bootstrap-token doc --- .../vault/data-integration/bootstrap-token.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token.mdx index 2a05959a9f21..c30d0ce0e2c8 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token.mdx @@ -29,7 +29,7 @@ Prior to setting up the data integration between Vault and Consul on Kubernetes, First, generate and store the ACL bootstrap token in Vault. You will only need to perform this action once: ```shell-session -$ vault kv put secret/consul/bootstrap-token token="$(uuidgen | tr '[:upper:]' '[:lower:]')" +$ vault kv put consul-kv/secret/bootstrap-token token="$(uuidgen | tr '[:upper:]' '[:lower:]')" ``` ## Create Vault policy @@ -41,7 +41,7 @@ The path to the secret referenced in the `path` resource is the same value that ```HCL -path "secret/data/consul/bootstrap-token" { +path "consul-kv/data/secret/bootstrap-token" { capabilities = ["read"] } ``` @@ -88,7 +88,7 @@ global: manageSystemACLsRole: consul-server-acl-init acls: bootstrapToken: - secretName: secret/data/consul/bootstrap-token + secretName: consul-kv/data/secret/bootstrap-token secretKey: token ``` From b51482675d246895f01d0c3c17a524a5ae9a3a37 Mon Sep 17 00:00:00 2001 From: Krastin Krastev Date: Fri, 22 Dec 2023 13:41:45 +0100 Subject: [PATCH 09/11] update index doc --- .../deployment-configurations/vault/data-integration/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx index 360e1204dac2..7aa12c0c52a4 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx @@ -125,7 +125,7 @@ For example, if your Consul on Kubernetes servers need access to [Gossip encrypt ```HCL - path "secret/data/consul/license" { + path "consul-kv/data/secret/license" { capabilities = ["read"] } ``` From 4691ffc19538fe4012d4f40df3c2d11ed3f65490 Mon Sep 17 00:00:00 2001 From: Krastin Krastev Date: Tue, 2 Jan 2024 11:42:13 +0100 Subject: [PATCH 10/11] fix license kv path --- .../vault/data-integration/enterprise-license.mdx | 4 ++-- .../vault/data-integration/index.mdx | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx index 2895305d51d3..cafd30b36f8c 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx @@ -29,7 +29,7 @@ Prior to setting up the data integration between Vault and Consul on Kubernetes, First, store the enterprise license in Vault: ```shell-session -$ vault kv put consul-kv/secret/license key="" +$ vault kv put consul-kv/secret/enterpriselicense key="" ``` ## Create Vault policy @@ -41,7 +41,7 @@ The path to the secret referenced in the `path` resource is the same value that ```HCL -path "consul-kv/data/secret/license" { +path "consul-kv/data/secret/enterpriselicense" { capabilities = ["read"] } ``` diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx index 7aa12c0c52a4..e8771104f40f 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx @@ -125,7 +125,7 @@ For example, if your Consul on Kubernetes servers need access to [Gossip encrypt ```HCL - path "consul-kv/data/secret/license" { + path "consul-kv/data/secret/enterpriselicense" { capabilities = ["read"] } ``` From e34ee98dafe33a529e47de93968fb2bd2af100e8 Mon Sep 17 00:00:00 2001 From: Krastin Krastev Date: Tue, 2 Jan 2024 11:59:22 +0100 Subject: [PATCH 11/11] vault kv path explanation for /data/ --- .../vault/data-integration/index.mdx | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx index e8771104f40f..fb7edf54bc50 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx @@ -122,6 +122,10 @@ For example, if your Consul on Kubernetes servers need access to [Gossip encrypt 1. Enterprise License + + When using Vault Key-Value Version 2 secrets engines, the `data` field is implicitly required for Vault API calls in the form of "vault-kv2-mount-path/**data**/secret-path". In this example, the key-value data in `consul-kv/secret/enterpriselicense` is accessible for API calls via the `consul-kv/data/secret/enterpriselicense` path. + + ```HCL