Storing Gossip Encryption Key in Vault

To use a gossip encryption key stored in Vault we need the following:

  1. Generate and store an encryption key in Vault.
  2. Create policies that will allow Consul client and server to access that key.
  3. Create a Kubernetes auth roles that link policies from step 2 to Kubernetes service accounts of the Consul servers and clients.

Configuring Vault

First, generate and store the gossip key in Vault:

  1. $ vault kv put secret/consul/gossip key="$(consul keygen)"

Next, we will need to create a policy that allows read access to this secret:

  1. path "secret/data/consul/gossip" {
  2. capabilities = ["read"]
  3. }

Gossip Encryption Key - 图1

gossip-policy.hcl

  1. $ vault policy write gossip-policy gossip-policy.hcl

Prior to creating Vault auth roles for the Consul servers and clients, ensure that the Vault Kubernetes auth method is enabled as described in Vault Kubernetes Auth Method.

Next, we will create Kubernetes auth roles for the Consul server and client:

  1. $ vault write auth/kubernetes/role/consul-server \
  2. bound_service_account_names=<Consul server service account> \
  3. bound_service_account_namespaces=<Consul installation namespace> \
  4. policies=gossip-policy \
  5. ttl=1h
  1. $ vault write auth/kubernetes/role/consul-client \
  2. bound_service_account_names=<Consul client service account> \
  3. bound_service_account_namespaces=<Consul installation namespace> \
  4. policies=gossip-policy \
  5. ttl=1h

To find out the service account names of the Consul server and client, you can run the following helm template commands with your Consul on Kubernetes values file:

  • Generate Consul server service account name

    1. $ helm template --release-name ${RELEASE_NAME} -s templates/server-serviceaccount.yaml hashicorp/consul
  • Generate Consul client service account name

    1. $ helm template --release-name ${RELEASE_NAME} -s templates/client-serviceaccount.yaml hashicorp/consul

Deploying the Consul Helm chart

Now that we’ve configured Vault, you can configure the Consul Helm chart to use the gossip key in Vault:

  1. global:
  2. secretsBackend:
  3. vault:
  4. enabled: true
  5. consulServerRole: consul-server
  6. consulClientRole: consul-client
  7. gossipEncryption:
  8. secretName: secret/data/consul/gossip
  9. secretKey: key

Gossip Encryption Key - 图2

values.yaml

Note that global.gossipEncryption.secretName is the path of the secret in Vault. This should be the same path as the one you’d include in your Vault policy. global.gossipEncryption.secretKey is the key inside the secret data. This should be the same as the key we passed when we created the gossip secret in Vault.