Update guidance for vault PKI CA provider #15422
Conversation
github-actions
bot
added
the
type/docs
| @@ -13,6 +13,8 @@ This topic describes how to configure the Consul Helm chart to use TLS certifica | |||
| Consul allows using Kubernetes auth methods to configure Connect CA. | |||
| This allows for automatic token rotation once the renewal is no longer possible. | |||
|
|
|||
| ~> **Note:** Do not use Vault v1.11.0+ as Consul's Connect CA provider — the intermediate CA will become unable to issue the leaf nodes required by service mesh and all actions (if using auto-encrypt or auto-config, and using mTLS for server-to-server communication). If you are already using Vault 1.11+ as a Connect CA, refer to the [Knowledge Base article]() for more information about the underlying cause and recommended workaround. | |||
There was a problem hiding this comment.
I had been wondering about whether we needed anything about the Consul k8s integration with Vault as a general secrets backend, but it looks like you've already covered that here. I initially thought it might need to go on the overview page too (https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/vault), but it looks like you have to opt into the different kinds of secrets, and this page covers opting into using Vault as the CA... so I think that's all that we need?
website/content/docs/k8s/deployment-configurations/vault/data-integration/connect-ca.mdx
Outdated
Show resolved
Hide resolved
im2nguyen
added
the
pr/no-changelog
There was a problem hiding this comment.
@im2nguyen : I left a comment on some small proposed tweaks, but I'm marking approved so I'm not blocking.
website/content/docs/k8s/deployment-configurations/vault/data-integration/connect-ca.mdx
Outdated
Show resolved
Hide resolved
Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
| @@ -29,6 +29,8 @@ must be met: | |||
| were introduced in Vault 0.10.3. Prior versions of Vault are not | |||
| compatible with Connect. | |||
|
|
|||
| ~> **Note:** Do not use Vault v1.11.0+ as Consul's Connect CA provider — the intermediate CA will become unable to issue the leaf nodes required by service mesh and all actions (if using auto-encrypt or auto-config, and using mTLS for server-to-server communication). Refer to the [Knowledge Base article]() for more information about the underlying cause and recommended workaround. | |||
There was a problem hiding this comment.
Do we want to say "Do not use" or should we say something like "Known Issue" instead?
There was a problem hiding this comment.
I would rather default to an action so users know what to do 😄
| @@ -29,6 +29,8 @@ must be met: | |||
| were introduced in Vault 0.10.3. Prior versions of Vault are not | |||
| compatible with Connect. | |||
|
|
|||
| ~> **Note:** Do not use Vault v1.11.0+ as Consul's Connect CA provider — the intermediate CA will become unable to issue the leaf nodes required by service mesh, and by Consul client agents if using auto-encrypt or auto-config and using TLS for agent communication. If you are already using Vault 1.11+ as a Connect CA, refer to the [Knowledge Base article](https://support.hashicorp.com/hc/en-us/articles/11308460105491) for more information about the underlying cause and recommended workaround. | |||
There was a problem hiding this comment.
Can we change the to this?
Current: If you are already using Vault 1.11+ as a Connect CA, refer to the Knowledge Base article
Change requested:
If you are already using Vault 1.11+ as a Connect CA, refer to this Knowledge Base article
Description
Describe why you're making this change, in plain English.
Testing & Reproduction steps
Links
Include any links here that might be helpful for people reviewing your PR (Tickets, GH issues, API docs, external benchmarks, tools docs, etc). If there are none, feel free to delete this section.
Please be mindful not to leak any customer or confidential information. HashiCorp employees may want to use our internal URL shortener to obfuscate links.
PR Checklist