Storing the Enterprise License in Vault
To use an enterprise license stored in Vault, the steps will be similar to Storing Gossip Encryption Key in Vault. You need to do the following:
- Store an enterprise license key in Vault’s KV2 secrets engine.
- Create Vault Policies that allow read access to the key.
- Create a Vault Kubernetes Auth Role that links policies from step 2 to the Kubernetes service accounts of the Consul servers and clients.
Configuring Vault
First, store the license key in Vault:
$ vault kv put secret/consul/enterpriselicense key="<enterprise license>"
Next, you will need to create a policy that allows read access to this secret:
path "secret/data/consul/enterpriselicense" {
capabilities = ["read"]
}
enterpriselicense-policy.hcl
$ vault policy write enterpriselicense-policy enterpriselicense-policy.hcl
Prior to creating Vault auth roles for the Consul servers and clients, ensure that the Vault Kubernetes auth method is enabled as described in Vault Kubernetes Auth Method.
Next, you will create Kubernetes auth roles for the Consul server and client:
$ vault write auth/kubernetes/role/consul-server \
bound_service_account_names=<Consul server service account> \
bound_service_account_namespaces=<Consul installation namespace> \
policies=enterpriselicense-policy \
ttl=1h
$ vault write auth/kubernetes/role/consul-client \
bound_service_account_names=<Consul client service account> \
bound_service_account_namespaces=<Consul installation namespace> \
policies=enterpriselicense-policy \
ttl=1h
To find out the service account names of the Consul server and client, you can run the following helm template
commands with your Consul on Kubernetes values file:
Generate Consul server service account name
$ helm template --release-name ${RELEASE_NAME} -s templates/server-serviceaccount.yaml hashicorp/consul
Generate Consul client service account name
$ helm template --release-name ${RELEASE_NAME} -s templates/client-serviceaccount.yaml hashicorp/consul
Deploying the Consul Helm chart
Now that you have configured Vault, you can configure the Consul Helm chart to use the enterprise license key in Vault:
global:
secretsBackend:
vault:
enabled: true
consulServerRole: consul-server
consulClientRole: consul-client
enterpriseLicense:
secretName: secret/data/consul/enterpriselicense
secretKey: key
values.yaml
Note that global.enterpriseLicense.secretName
is the path of the secret in Vault. This should be the same path as the one you included in your Vault policy. global.enterpriseLicense.secretKey
is the key inside the secret data. This should be the same as the key you passed when creating the enterprise license secret in Vault.