HashiConf 2024 Now streaming live from Boston! Attend for free
Consul
Consul Home

You are viewing documentation for version v1.11.x. View latest version.

Storing the Enterprise License in Vault

To use an enterprise license stored in Vault, the steps will be similar to Storing Gossip Encryption Key in Vault. You need to do the following:

  1. Store an enterprise license key in Vault's KV2 secrets engine.
  2. Create Vault Policies that allow read access to the key.
  3. Create a Vault Kubernetes Auth Role that links policies from step 2 to the Kubernetes service accounts of the Consul servers and clients.

Configuring Vault

First, store the license key in Vault:

$ vault kv put secret/consul/enterpriselicense key="<enterprise license>"

Next, you will need to create a policy that allows read access to this secret:

enterpriselicense-policy.hcl

path "secret/data/consul/enterpriselicense" {
  capabilities = ["read"]
}

$ vault policy write enterpriselicense-policy enterpriselicense-policy.hcl

Prior to creating Vault auth roles for the Consul servers and clients, ensure that the Vault Kubernetes auth method is enabled as described in Vault Kubernetes Auth Method.

Next, you will create Kubernetes auth roles for the Consul server and client:

$ vault write auth/kubernetes/role/consul-server \
    bound_service_account_names=<Consul server service account> \
    bound_service_account_namespaces=<Consul installation namespace> \
    policies=enterpriselicense-policy \
    ttl=1h

$ vault write auth/kubernetes/role/consul-client \
    bound_service_account_names=<Consul client service account> \
    bound_service_account_namespaces=<Consul installation namespace> \
    policies=enterpriselicense-policy \
    ttl=1h

To find out the service account names of the Consul server and client, you can run the following helm template commands with your Consul on Kubernetes values file:

  • Generate Consul server service account name

    $ helm template --release-name ${RELEASE_NAME} -s templates/server-serviceaccount.yaml hashicorp/consul

  • Generate Consul client service account name

    $ helm template --release-name ${RELEASE_NAME} -s templates/client-serviceaccount.yaml hashicorp/consul

Deploying the Consul Helm chart

Now that you have configured Vault, you can configure the Consul Helm chart to use the enterprise license key in Vault:

values.yaml

global:
  secretsBackend:
    vault:
      enabled: true
      consulServerRole: consul-server
      consulClientRole: consul-client
  enterpriseLicense:
    secretName: secret/data/consul/enterpriselicense
    secretKey: key

Note that global.enterpriseLicense.secretName is the path of the secret in Vault. This should be the same path as the one you included in your Vault policy. global.enterpriseLicense.secretKey is the key inside the secret data. This should be the same as the key you passed when creating the enterprise license secret in Vault.