-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update guidance for vault PKI CA provider #15422
Conversation
@@ -13,6 +13,8 @@ This topic describes how to configure the Consul Helm chart to use TLS certifica | |||
Consul allows using Kubernetes auth methods to configure Connect CA. | |||
This allows for automatic token rotation once the renewal is no longer possible. | |||
|
|||
~> **Note:** Do not use Vault v1.11.0+ as Consul's Connect CA provider — the intermediate CA will become unable to issue the leaf nodes required by service mesh and all actions (if using auto-encrypt or auto-config, and using mTLS for server-to-server communication). If you are already using Vault 1.11+ as a Connect CA, refer to the [Knowledge Base article]() for more information about the underlying cause and recommended workaround. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had been wondering about whether we needed anything about the Consul k8s integration with Vault as a general secrets backend, but it looks like you've already covered that here. I initially thought it might need to go on the overview page too (https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/vault), but it looks like you have to opt into the different kinds of secrets, and this page covers opting into using Vault as the CA... so I think that's all that we need?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
update kb
website/content/docs/k8s/deployment-configurations/vault/data-integration/connect-ca.mdx
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@im2nguyen : I left a comment on some small proposed tweaks, but I'm marking approved so I'm not blocking.
website/content/docs/k8s/deployment-configurations/vault/data-integration/connect-ca.mdx
Outdated
Show resolved
Hide resolved
Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@@ -29,6 +29,8 @@ must be met: | |||
were introduced in Vault 0.10.3. Prior versions of Vault are not | |||
compatible with Connect. | |||
|
|||
~> **Note:** Do not use Vault v1.11.0+ as Consul's Connect CA provider — the intermediate CA will become unable to issue the leaf nodes required by service mesh and all actions (if using auto-encrypt or auto-config, and using mTLS for server-to-server communication). Refer to the [Knowledge Base article]() for more information about the underlying cause and recommended workaround. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to say "Do not use" or should we say something like "Known Issue" instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would rather default to an action so users know what to do 😄
@@ -29,6 +29,8 @@ must be met: | |||
were introduced in Vault 0.10.3. Prior versions of Vault are not | |||
compatible with Connect. | |||
|
|||
~> **Note:** Do not use Vault v1.11.0+ as Consul's Connect CA provider — the intermediate CA will become unable to issue the leaf nodes required by service mesh, and by Consul client agents if using auto-encrypt or auto-config and using TLS for agent communication. If you are already using Vault 1.11+ as a Connect CA, refer to the [Knowledge Base article](https://support.hashicorp.com/hc/en-us/articles/11308460105491) for more information about the underlying cause and recommended workaround. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we change the to this?
Current: If you are already using Vault 1.11+ as a Connect CA, refer to the Knowledge Base article
Change requested:
If you are already using Vault 1.11+ as a Connect CA, refer to this Knowledge Base article
Description
Describe why you're making this change, in plain English.
Testing & Reproduction steps
Links
Include any links here that might be helpful for people reviewing your PR (Tickets, GH issues, API docs, external benchmarks, tools docs, etc). If there are none, feel free to delete this section.
Please be mindful not to leak any customer or confidential information. HashiCorp employees may want to use our internal URL shortener to obfuscate links.
PR Checklist