Storing the ACL Partition Token in Vault
This topic describes how to configure the Consul Helm chart to use an ACL partition token stored in Vault.
Overview
To use an ACL partition token stored in Vault, we will follow the steps outlined in the Data Integration section:
One time setup in Vault
- Store the secret in Vault.
- Create a Vault policy that authorizes the desired level of access to the secret.
Setup per Consul datacenter
- Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access.
- Update the Consul on Kubernetes helm chart.
Prerequisites
Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have:
- Read and completed the steps in the Systems Integration section of Vault as a Secrets Backend.
- Read the Data Integration Overview section of Vault as a Secrets Backend.
One time setup in Vault
Generate and Store the Secret in Vault
First, generate and store the ACL partition token in Vault:
$ vault kv put secret/consul/partition-token token="$(uuidgen | tr '[:upper:]' '[:lower:]')"
$ vault kv put secret/consul/partition-token token="$(uuidgen | tr '[:upper:]' '[:lower:]')"
Create a Vault policy that authorizes the desired level of access to the secret
Note: The secret path referenced by the Vault Policy below will be your global.acls.partitionToken.secretName
Helm value.
Next, you will need to create a policy that allows read access to this secret:
path "secret/data/consul/partition-token" {
capabilities = ["read"]
}
partition-token-policy.hcl
path "secret/data/consul/partition-token" {
capabilities = ["read"]
}
Apply the Vault policy by issuing the vault policy write
CLI command:
$ vault policy write partition-token-policy partition-token-policy.hcl
$ vault policy write partition-token-policy partition-token-policy.hcl
Setup per Consul datacenter
Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access
Next, you will create Kubernetes auth roles for the Consul server-acl-init
job:
$ vault write auth/kubernetes/role/consul-server-acl-init \
bound_service_account_names=<Consul server service account> \
bound_service_account_namespaces=<Consul installation namespace> \
policies=partition-token-policy \
ttl=1h
$ vault write auth/kubernetes/role/consul-server-acl-init \
bound_service_account_names=<Consul server service account> \
bound_service_account_namespaces=<Consul installation namespace> \
policies=partition-token-policy \
ttl=1h
To find out the service account name of the Consul server, you can run the following helm template
command with your Consul on Kubernetes values file:
$ helm template --release-name ${RELEASE_NAME} -s templates/server-acl-init-serviceaccount.yaml hashicorp/consul
$ helm template --release-name ${RELEASE_NAME} -s templates/server-acl-init-serviceaccount.yaml hashicorp/consul
Update the Consul on Kubernetes helm chart
Now that you have configured Vault, you can configure the Consul Helm chart to use the ACL partition token key in Vault:
global:
secretsBackend:
vault:
enabled: true
manageSystemACLsRole: consul-server-acl-init
acls:
partitionToken:
secretName: secret/data/consul/partition-token
secretKey: token
values.yaml
global:
secretsBackend:
vault:
enabled: true
manageSystemACLsRole: consul-server-acl-init
acls:
partitionToken:
secretName: secret/data/consul/partition-token
secretKey: token
Note that global.acls.partitionToken.secretName
is the path of the secret in Vault. This should be the same path as the one you included in your Vault policy. global.acls.partitionToken.secretKey
is the key inside the secret data. This should be the same as the key you passed when creating the ACL partition token secret in Vault.