From 365fcd0148e8cb5f57523d88cc7246593386dd9a Mon Sep 17 00:00:00 2001 From: Krastin Krastev Date: Fri, 22 Dec 2023 13:20:51 +0100 Subject: [PATCH 01/12] rename the KV secret engine --- .../k8s/deployment-configurations/vault/systems-integration.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx b/website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx index 7c4de80bba61..a35a9969e24a 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx @@ -34,7 +34,7 @@ The following secrets can be stored in Vault KV secrets engine, which is meant t In order to store any of these secrets, we must enable the [Vault KV secrets engine - Version 2](/vault/docs/secrets/kv/kv-v2). ```shell-session -$ vault secrets enable -path=consul kv-v2 +$ vault secrets enable -path=consul-kv kv-v2 ``` ## Vault PKI Engine From c19ead96bcf4d0518a5fd3f5cb17fd5c4488bb59 Mon Sep 17 00:00:00 2001 From: Krastin Krastev Date: Fri, 22 Dec 2023 13:29:28 +0100 Subject: [PATCH 02/12] update WAN federation guide --- .../vault/wan-federation.mdx | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx b/website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx index 041b73033fc3..3afcbb7072c4 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx @@ -129,7 +129,7 @@ Repeat the following steps for each datacenter in the cluster: 1. Enable [Vault KV secrets engine - Version 2](/vault/docs/secrets/kv/kv-v2) in order to store the [Gossip Encryption Key](/consul/docs/k8s/helm#v-global-acls-replicationtoken) and the ACL Replication token ([`global.acls.replicationToken`](/consul/docs/k8s/helm#v-global-acls-replicationtoken)). ```shell-session - $ vault secrets enable -path=consul kv-v2 + $ vault secrets enable -path=consul-kv kv-v2 ``` 1. Enable Vault PKI Engine in order to leverage Vault for issuing Consul Server TLS certificates. @@ -314,15 +314,15 @@ Repeat the following steps for each datacenter in the cluster: 1. Store the ACL bootstrap and replication tokens, gossip encryption key, and root CA certificate secrets in Vault. ```shell-session - $ vault kv put consul/secret/gossip key="$(consul keygen)" + $ vault kv put consul-kv/secret/gossip key="$(consul keygen)" ``` ```shell-session - $ vault kv put consul/secret/bootstrap token="$(uuidgen | tr '[:upper:]' '[:lower:]')" + $ vault kv put consul-kv/secret/bootstrap token="$(uuidgen | tr '[:upper:]' '[:lower:]')" ``` ```shell-session - $ vault kv put consul/secret/replication token="$(uuidgen | tr '[:upper:]' '[:lower:]')" + $ vault kv put consul-kv/secret/replication token="$(uuidgen | tr '[:upper:]' '[:lower:]')" ``` ```shell-session $ vault write pki/root/generate/internal common_name="Consul CA" ttl=87600h @@ -332,7 +332,7 @@ Repeat the following steps for each datacenter in the cluster: ```shell-session $ vault policy write gossip - < Date: Fri, 22 Dec 2023 13:34:22 +0100 Subject: [PATCH 03/12] update snapshot-agent doc --- .../vault/data-integration/snapshot-agent-config.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config.mdx index 235ef68f8454..532b415b0954 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config.mdx @@ -29,7 +29,7 @@ Before you set up data integration between Vault and Consul on Kubernetes, compl First, store the snapshot agent config in Vault: ```shell-session -$ vault kv put secret/consul/snapshot-agent-config key="" +$ vault kv put consul-kv/secret/snapshot-agent-config key="" ``` ## Create Vault policy @@ -41,7 +41,7 @@ The path to the secret referenced in the `path` resource is the same values that ```HCL -path "secret/data/consul/snapshot-agent-config" { +path "consul-kv/data/secret/snapshot-agent-config" { capabilities = ["read"] } ``` @@ -91,7 +91,7 @@ global: client: snapshotAgent: configSecret: - secretName: secret/data/consul/snapshot-agent-config + secretName: consul-kv/data/secret/snapshot-agent-config secretKey: key ``` From 3a468f91cfd9e332496bac98906594697d2df5ed Mon Sep 17 00:00:00 2001 From: Krastin Krastev Date: Fri, 22 Dec 2023 13:35:51 +0100 Subject: [PATCH 04/12] update replication doc --- .../vault/data-integration/replication-token.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/replication-token.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/replication-token.mdx index a7f351d54a7e..6d6077facdac 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/replication-token.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/replication-token.mdx @@ -29,7 +29,7 @@ Prior to setting up the data integration between Vault and Consul on Kubernetes, First, generate and store the ACL replication token in Vault. You will only need to perform this action once: ```shell-session -$ vault kv put secret/consul/replication-token token="$(uuidgen | tr '[:upper:]' '[:lower:]')" +$ vault kv put consul-kv/secret/replication-token token="$(uuidgen | tr '[:upper:]' '[:lower:]')" ``` ## Create Vault policy @@ -41,7 +41,7 @@ The path to the secret referenced in the `path` resource is the same value that ```HCL -path "secret/data/consul/replication-token" { +path "consul-kv/data/secret/replication-token" { capabilities = ["read"] } ``` @@ -88,7 +88,7 @@ global: manageSystemACLsRole: consul-server-acl-init acls: replicationToken: - secretName: secret/data/consul/replication-token + secretName: consul-kv/data/secret/replication-token secretKey: token ``` From 18919c935607f9e9716530b76dba704ad034abc3 Mon Sep 17 00:00:00 2001 From: Krastin Krastev Date: Fri, 22 Dec 2023 13:36:48 +0100 Subject: [PATCH 05/12] update partition doc --- .../vault/data-integration/partition-token.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx index b646a6f80302..329c96ebef09 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx @@ -30,7 +30,7 @@ Prior to setting up the data integration between Vault and Consul on Kubernetes, First, generate and store the ACL partition token in Vault. You will only need to perform this action once: ```shell-session -$ vault kv put secret/consul/partition-token token="$(uuidgen | tr '[:upper:]' '[:lower:]')" +$ vault kv put consul-kv/secret/partition-token token="$(uuidgen | tr '[:upper:]' '[:lower:]')" ``` ## Create Vault policy @@ -42,7 +42,7 @@ The path to the secret referenced in the `path` resource is the same value that ```HCL -path "secret/data/consul/partition-token" { +path "consul-kv/data/secret/consul/partition-token" { capabilities = ["read"] } ``` @@ -90,7 +90,7 @@ global: adminPartitionsRole: consul-partition-init acls: partitionToken: - secretName: secret/data/consul/partition-token + secretName: consul-kv/data/secret/partition-token secretKey: token ``` From a11916e00de940b5837b749f37ef82b760a9f3a1 Mon Sep 17 00:00:00 2001 From: Krastin Krastev Date: Fri, 22 Dec 2023 13:37:55 +0100 Subject: [PATCH 06/12] update gossip doc --- .../vault/data-integration/gossip.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/gossip.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/gossip.mdx index 186ae3f7dc4f..c6c71875a56c 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/gossip.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/gossip.mdx @@ -29,7 +29,7 @@ Prior to setting up the data integration between Vault and Consul on Kubernetes, First, generate and store the gossip key in Vault. You will only need to perform this action once: ```shell-session -$ vault kv put secret/consul/gossip key="$(consul keygen)" +$ vault kv put consul-kv/secret/gossip key="$(consul keygen)" ``` ## Create Vault policy @@ -40,7 +40,7 @@ The path to the secret referenced in the `path` resource is the same value that ```HCL -path "secret/data/consul/gossip" { +path "consul-kv/data/secret/gossip" { capabilities = ["read"] } ``` @@ -101,7 +101,7 @@ global: consulServerRole: consul-server consulClientRole: consul-client gossipEncryption: - secretName: secret/data/consul/gossip + secretName: consul-kv/data/secret/gossip secretKey: key ``` From 1cb00ebe14523ec390d9ce0ea172a0324f41678f Mon Sep 17 00:00:00 2001 From: Krastin Krastev Date: Fri, 22 Dec 2023 13:38:55 +0100 Subject: [PATCH 07/12] update ent-license doc --- .../vault/data-integration/enterprise-license.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx index ef3ab8eaafcb..ba14e380b15a 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx @@ -29,7 +29,7 @@ Prior to setting up the data integration between Vault and Consul on Kubernetes, First, store the enterprise license in Vault: ```shell-session -$ vault kv put secret/consul/license key="" +$ vault kv put consul-kv/secret/license key="" ``` ## Create Vault policy @@ -41,7 +41,7 @@ The path to the secret referenced in the `path` resource is the same value that ```HCL -path "secret/data/consul/license" { +path "consul-kv/data/secret/license" { capabilities = ["read"] } ``` @@ -103,7 +103,7 @@ global: consulServerRole: consul-server consulClientRole: consul-client enterpriseLicense: - secretName: secret/data/consul/enterpriselicense + secretName: consul-kv/data/secret/enterpriselicense secretKey: key ``` From 1dde571810dabfc59b8a4422ea6ced7fc0ba7f99 Mon Sep 17 00:00:00 2001 From: Krastin Krastev Date: Fri, 22 Dec 2023 13:40:52 +0100 Subject: [PATCH 08/12] update bootstrap-token doc --- .../vault/data-integration/bootstrap-token.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token.mdx index 582f781c236b..ea63dc992428 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token.mdx @@ -29,7 +29,7 @@ Prior to setting up the data integration between Vault and Consul on Kubernetes, First, generate and store the ACL bootstrap token in Vault. You will only need to perform this action once: ```shell-session -$ vault kv put secret/consul/bootstrap-token token="$(uuidgen | tr '[:upper:]' '[:lower:]')" +$ vault kv put consul-kv/secret/bootstrap-token token="$(uuidgen | tr '[:upper:]' '[:lower:]')" ``` ## Create Vault policy @@ -41,7 +41,7 @@ The path to the secret referenced in the `path` resource is the same value that ```HCL -path "secret/data/consul/bootstrap-token" { +path "consul-kv/data/secret/bootstrap-token" { capabilities = ["read"] } ``` @@ -88,7 +88,7 @@ global: manageSystemACLsRole: consul-server-acl-init acls: bootstrapToken: - secretName: secret/data/consul/bootstrap-token + secretName: consul-kv/data/secret/bootstrap-token secretKey: token ``` From 3133a14fb09d8ddc47d372275acd794616a6e824 Mon Sep 17 00:00:00 2001 From: Krastin Krastev Date: Fri, 22 Dec 2023 13:41:45 +0100 Subject: [PATCH 09/12] update index doc --- .../deployment-configurations/vault/data-integration/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx index 2ce631b9cec7..dfa98e852e24 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx @@ -95,7 +95,7 @@ For example, if your Consul on Kubernetes servers need access to [Consul Server ```HCL - path "secret/data/consul/license" { + path "consul-kv/data/secret/license" { capabilities = ["read"] } ``` From bab05ad0578455f201d0988582fdc3fb1533698e Mon Sep 17 00:00:00 2001 From: Krastin Krastev Date: Tue, 2 Jan 2024 11:42:13 +0100 Subject: [PATCH 10/12] fix license kv path --- .../vault/data-integration/enterprise-license.mdx | 4 ++-- .../vault/data-integration/index.mdx | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx index ba14e380b15a..9b32cf468ebb 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx @@ -29,7 +29,7 @@ Prior to setting up the data integration between Vault and Consul on Kubernetes, First, store the enterprise license in Vault: ```shell-session -$ vault kv put consul-kv/secret/license key="" +$ vault kv put consul-kv/secret/enterpriselicense key="" ``` ## Create Vault policy @@ -41,7 +41,7 @@ The path to the secret referenced in the `path` resource is the same value that ```HCL -path "consul-kv/data/secret/license" { +path "consul-kv/data/secret/enterpriselicense" { capabilities = ["read"] } ``` diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx index dfa98e852e24..2cd3c7f80a15 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx @@ -95,7 +95,7 @@ For example, if your Consul on Kubernetes servers need access to [Consul Server ```HCL - path "consul-kv/data/secret/license" { + path "consul-kv/data/secret/enterpriselicense" { capabilities = ["read"] } ``` From 752434cae75d52152d6817470ffb89756823f83f Mon Sep 17 00:00:00 2001 From: Krastin Krastev Date: Tue, 2 Jan 2024 11:59:22 +0100 Subject: [PATCH 11/12] vault kv path explanation for /data/ --- .../vault/data-integration/index.mdx | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx index 2cd3c7f80a15..86d7b408274a 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx @@ -92,6 +92,10 @@ For example, if your Consul on Kubernetes servers need access to [Consul Server 1. Enterprise License + + When using Vault Key-Value Version 2 secrets engines, the `data` field is implicitly required for Vault API calls in the form of "vault-kv2-mount-path/**data**/secret-path". In this example, the key-value data in `consul-kv/secret/enterpriselicense` is accessible for API calls via the `consul-kv/data/secret/enterpriselicense` path. + + ```HCL From 7f4d59e3c8edfa4200550866f67956f09f232ccf Mon Sep 17 00:00:00 2001 From: Krastin Krastev Date: Fri, 5 Jan 2024 12:52:40 +0200 Subject: [PATCH 12/12] Update website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> --- .../deployment-configurations/vault/data-integration/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx index 86d7b408274a..819d0e4a9751 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx @@ -93,7 +93,7 @@ For example, if your Consul on Kubernetes servers need access to [Consul Server 1. Enterprise License - When using Vault Key-Value Version 2 secrets engines, the `data` field is implicitly required for Vault API calls in the form of "vault-kv2-mount-path/**data**/secret-path". In this example, the key-value data in `consul-kv/secret/enterpriselicense` is accessible for API calls via the `consul-kv/data/secret/enterpriselicense` path. + Vault API calls to version 2 of the Key-Value secrets engine require the `data` field in the path configuration. In the following example, the key-value data in `consul-kv/secret/enterpriselicense` becomes accessible for Vault API calls on the `consul-kv/data/secret/enterpriselicense` path.