Vault as the Secrets Backend - Data Integration

Overview

This topic describes an overview of how to configure Vault and Consul in order to share secrets for use within Consul.

General Integration Steps

Generally, for each secret you wish to store in Vault, the process to integrate the data between Vault and Consul on Kubernetes is:

One time setup in Vault

  1. Store the secret in Vault.
  2. Create a Vault policy that authorizes the desired level of access to the secret.

Setup per Consul datacenter

  1. Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access.
  2. Update the Consul on Kubernetes helm chart.

Prerequisites

Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have read and completed the steps in the Systems Integration section of Vault as a Secrets Backend.

Example - Gossip Encryption Key Integration

Following the general integration steps, a more detailed workflow for integration of the Gossip encryption key with the Vault Secrets backend would like the following:

One time setup in Vault

  1. Store the secret in Vault.
    • Save the gossip encryption key in Vault at the path secret/consul/gossip.
  2. Create a Vault policy that authorizes the desired level of access to the secret.
    • Create a Vault policy that you name gossip-policy which allows read access to the path secret/consul/gossip.

Setup per Consul datacenter

  1. Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access.
    • Both Consul servers and Consul clients need access to the gossip encryption key, so you create two Vault Kubernetes:
      • A role called consul-server that maps the Kubernetes namespace and service account name for your consul servers to the gossip-policy created in step 2 of One time setup in Vault.
      • A role called consul-client that maps the Kubernetes namespace and service account name for your consul clients to the gossip-policy created in step 2 of One time setup in Vault..
  2. Update the Consul on Kubernetes helm chart.

Secrets to Service Account Mapping

At the most basic level, the goal of this configuration is to authorize a Consul on Kubernetes service account to access a secret in Vault. Below is a mapping of Vault secrets and the Consul on Kubernetes service accounts that need to access them. (NOTE: Consul components refers to all other services and jobs that are not Consul servers or clients. It includes things like terminating gateways, ingress gateways, etc.)

Primary Datacenter

SecretService Account ForConfigurable Role in Consul k8s Helm
ACL Bootstrap tokenConsul server-acl-init jobglobal.secretsBackend.vault.manageSystemACLsRole
ACL Partition tokenConsul server-acl-init jobglobal.secretsBackend.vault.manageSystemACLsRole
ACL Replication tokenConsul server-acl-init jobglobal.secretsBackend.vault.manageSystemACLsRole
Enterprise licenseConsul servers
Consul clients		global.secretsBackend.vault.consulServerRole
global.secretsBackend.vault.consulClientRole
Gossip encryption keyConsul servers
Consul clients		global.secretsBackend.vault.consulServerRole
global.secretsBackend.vault.consulClientRole
Snapshot Agent configConsul snapshot agentglobal.secretsBackend.vault.consulSnapshotAgentRole
Server TLS credentialsConsul servers
Consul clients
Consul components		global.secretsBackend.vault.consulServerRole
global.secretsBackend.vault.consulClientRole
global.secretsBackend.vault.consulCARole
Service Mesh and Consul client TLS credentialsConsul serversglobal.secretsBackend.vault.consulServerRole
Webhook TLS certificates for controller and connect injectConsul controllers
Consul connect inject		global.secretsBackend.vault.controllerRole
global.secretsBackend.vault.connectInjectRole

Secondary Datacenters

The mapping for secondary data centers is similar with the following differences:

  • There is no use of bootstrap token because ACLs would have been bootstrapped in the primary datacenter.
  • ACL Partition token is mapped to both the server-acl-init job and the partition-init job service accounts.
  • ACL Replication token is mapped to both the server-acl-init job and Consul service accounts.
SecretService Account ForConfigurable Role in Consul k8s Helm
ACL Partition tokenConsul server-acl-init job
Consul partition-init job		global.secretsBackend.vault.manageSystemACLsRole
global.secretsBackend.vault.adminPartitionsRole
ACL Replication tokenConsul server-acl-init job
Consul servers		global.secretsBackend.vault.manageSystemACLsRole
global.secretsBackend.vault.consulServerRole
Enterprise licenseConsul servers
Consul clients		global.secretsBackend.vault.consulServerRole
global.secretsBackend.vault.consulClientRole
Gossip encryption keyConsul servers
Consul clients		global.secretsBackend.vault.consulServerRole
global.secretsBackend.vault.consulClientRole
Snapshot Agent configConsul snapshot agentglobal.secretsBackend.vault.consulSnapshotAgentRole
Server TLS credentialsConsul servers
Consul clients
Consul components		global.secretsBackend.vault.consulServerRole
global.secretsBackend.vault.consulClientRole
global.secretsBackend.vault.consulCARole
Service Mesh and Consul client TLS credentialsConsul serversglobal.secretsBackend.vault.consulServerRole
Webhook TLS certificates for controller and connect injectConsul controllers
Consul connect inject		global.secretsBackend.vault.controllerRole
global.secretsBackend.vault.connectInjectRole

Combining policies within roles

As you can see in the table above, depending upon your needs, a Consul on Kubernetes service account could have the need to request more than one secret. In these cases, you will want to create one role for the Consul on Kubernetes service account that is mapped to multiple policies, each of which allows it access to a given secret.

For example, if your Consul on Kubernetes servers need access to Gossip encryption key, Consul Server TLS credentials, and Enterprise license, assuming you have already saved the secrets in vault, you would:

  1. Create a policy for each secret.

    1. Gossip encryption key

      1. path "secret/data/consul/gossip" {
      2.   capabilities = ["read"]
      3. }

      Overview - 图1

      gossip-policy.hcl

      1. path "secret/data/consul/gossip" {
      2.   capabilities = ["read"]
      3. }
      1. $ vault policy write gossip-policy gossip-policy.hcl
      1. $ vault policy write gossip-policy gossip-policy.hcl

    2. Consul Server TLS credentials

      1. path "pki/cert/ca" {
      2.   capabilities = ["read"]
      3. }

      Overview - 图2

      ca-policy.hcl

      1. path "pki/cert/ca" {
      2.   capabilities = ["read"]
      3. }
      1. $ vault policy write ca-policy ca-policy.hcl
      1. $ vault policy write ca-policy ca-policy.hcl

    3. Enterprise License

      1. path "secret/data/consul/license" {
      2.   capabilities = ["read"]
      3. }

      Overview - 图3

      license-policy.hcl

      1. path "secret/data/consul/license" {
      2.   capabilities = ["read"]
      3. }
      1. $ vault policy write license-policy license-policy.hcl
      1. $ vault policy write license-policy license-policy.hcl

  2. Create one role that maps the Consul on Kubernetes service account to the 3 policies.

    1. $ vault write auth/kubernetes/role/consul-server \
    2.     bound_service_account_names=<Consul server service account> \
    3.     bound_service_account_namespaces=<Consul installation namespace> \
    4.     policies=gossip-policy,ca-policy,license-policy \
    5.     ttl=1h
    1. $ vault write auth/kubernetes/role/consul-server \
    2.     bound_service_account_names=<Consul server service account> \
    3.     bound_service_account_namespaces=<Consul installation namespace> \
    4.     policies=gossip-policy,ca-policy,license-policy \
    5.     ttl=1h

Detailed data integration guides

The following secrets can be stored in Vault KV secrets engine, which is meant to handle arbitrary secrets:

The following TLS certificates and keys can generated and managed by Vault the Vault PKI Engine, which is meant to handle things like certificate expiration and rotation:

Secrets to Service Account Mapping

Read through the detailed data integration guides that are pertinent to your environment.