From 39443801874608270a9ee2169a9541bf34dfa5f7 Mon Sep 17 00:00:00 2001
From: Steven Zamborsky <steven.zamborsky@hashicorp.com>
Date: Fri, 18 Nov 2022 10:30:17 -0500
Subject: [PATCH 1/2] Fix formatting for webhook-certs Consul tutorial

---
 .../vault/data-integration/webhook-certs.mdx  | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs.mdx
index 867779769acc..9e6184d18b2e 100644
--- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs.mdx
+++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs.mdx
@@ -14,9 +14,9 @@ In a Consul Helm chart configuration that does not use Vault, webhook-cert-manag
 
 When Vault is configured as the controller and connect inject Webhook Certificate Provider on Kubernetes: 
   - `webhook-cert-manager` is no longer deployed to the cluster.
-  - controller and connect inject each get their webhook certificates from its own Vault PKI mount via the injected Vault Agent.
-  - controller and connect inject each need to be configured with its own Vault Role that has necessary permissions to receive certificates from its respective PKI mount.
-  - controller and connect inject each locally update its own `mutatingwebhookconfiguration` so that Kubernetes can relay events.
+  - Controller and connect inject each get their webhook certificates from its own Vault PKI mount via the injected Vault Agent.
+  - Controller and connect inject each need to be configured with its own Vault Role that has necessary permissions to receive certificates from its respective PKI mount.
+  - Controller and connect inject each locally update its own `mutatingwebhookconfiguration` so that Kubernetes can relay events.
   - Vault manages certificate rotation and rotates certificates to each webhook.
 
 To use Vault as the controller and connect inject Webhook Certificate Provider, we will need to modify the steps outlined in the [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration) section:
@@ -31,8 +31,8 @@ These following steps will be repeated for each datacenter:
 Complete the following prerequisites prior to implementing the integration described in this topic: 
 1. Verify that you have completed the steps described in [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
 1. You should be familiar with the [Data Integration Overview](/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
-1. Configure [Vault as the Server TLS Certificate Provider on Kubernetes](/docs/k8s/deployment-configurations/vault/data-integration/server-tls) 
-1. Configure [Vault as the Service Mesh Certificate Provider on Kubernetes](/docs/k8s/deployment-configurations/vault/data-integration/connect-ca)
+1. Configure [Vault as the Server TLS Certificate Provider on Kubernetes](/docs/k8s/deployment-configurations/vault/data-integration/server-tls).
+1. Configure [Vault as the Service Mesh Certificate Provider on Kubernetes](/docs/k8s/deployment-configurations/vault/data-integration/connect-ca).
 
 ## Bootstrapping the PKI Engines
 Issue the following commands to enable and configure the PKI Secrets Engine to serve TLS certificates for the controller and connect inject webhooks:
@@ -71,8 +71,7 @@ Issue the following commands to enable and configure the PKI Secrets Engine to s
           ttl=87600h
   ```
 ## Create Vault Policies
-1. Create a policy that allows `["create", "update"]` access to the
-[certificate issuing URL](https://www.vaultproject.io/api-docs/secret/pki) so Consul controller and connect inject can fetch a new certificate/key pair and provide it to the Kubernetes `mutatingwebhookconfiguration`.
+1. Create a policy that allows `["create", "update"]` access to the [certificate issuing URL](https://www.vaultproject.io/api-docs/secret/pki) so Consul controller and connect inject can fetch a new certificate/key pair and provide it to the Kubernetes `mutatingwebhookconfiguration`.
 
     The path to the secret referenced in the `path` resource is the same value that you will configure in the  `global.secretsBackend.vault.controller.tlsCert.secretName` and `global.secretsBackend.vault.connectInject.tlsCert.secretName` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)).
 
@@ -92,8 +91,7 @@ Issue the following commands to enable and configure the PKI Secrets Engine to s
     EOF
     ```
 
-1. Create a policy that allows `["read"]` access to the [CA URL](https://www.vaultproject.io/api-docs/secret/pki#read-certificate),
-this is required for the Consul components to communicate with the Consul servers in order to fetch their auto-encryption certificates.
+1. Create a policy that allows `["read"]` access to the [CA URL](https://www.vaultproject.io/api-docs/secret/pki#read-certificate), this is required for the Consul components to communicate with the Consul servers in order to fetch their auto-encryption certificates.
 
     The path to the secret referenced in the `path` resource is the same values that you will configure in the  `global.secretsBackend.vault.controller.caCert.secretName` and `global.secretsBackend.vault.connectInject.caCert.secretName` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)).
 
@@ -112,6 +110,7 @@ this is required for the Consul components to communicate with the Consul server
     }
     EOF
     ```
+
 1. Configure allowed domains for PKI certificates.
 
     ```shell-session
@@ -153,10 +152,10 @@ this is required for the Consul components to communicate with the Consul server
 
 1. Finally, Kubernetes auth roles need to be created for controller and connect inject webhooks.
 
-
     The path to the secret referenced in the `path` resource is the same values that you will configure in the  `global.secretsBackend.vault.controllerRole` and `global.secretsBackend.vault.connectInjectRole` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)).
 
     Role for Consul controller webhooks:
+
     ```shell-session
     $ vault write auth/kubernetes/role/controller-role \
         bound_service_account_names=<Consul controller service account> \

From fb600b49d48ab89c516a7524bc5519a780fbb1af Mon Sep 17 00:00:00 2001
From: Steven Zamborsky <steven.zamborsky@hashicorp.com>
Date: Tue, 20 Jun 2023 12:18:07 -0400
Subject: [PATCH 2/2] Make a small grammar change to also pick up whitespace
 changes necessary for formatting

---
 .../vault/data-integration/webhook-certs.mdx  | 62 +++++++++----------
 1 file changed, 31 insertions(+), 31 deletions(-)

diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs.mdx
index 22ec88c8b82c..b615d31fabd7 100644
--- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs.mdx
+++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs.mdx
@@ -23,7 +23,7 @@ To use Vault as the controller and connect inject Webhook Certificate Provider,
 
 These following steps will be repeated for each datacenter:
   1. Create a Vault policy that authorizes the desired level of access to the secret.
-  1. (Added) Create Vault PKI roles for controller and connect inject each that establish the domains that each is allowed to issue certificates for.
+  1. (Added) Create Vault PKI roles for controller and connect inject that each establish the domains that each is allowed to issue certificates for.
   1. Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access.
   1. Configure the Vault Kubernetes auth roles in the Consul on Kubernetes helm chart.
 
@@ -74,44 +74,44 @@ Issue the following commands to enable and configure the PKI Secrets Engine to s
 1. Create a policy that allows `["create", "update"]` access to the
 [certificate issuing URL](/vault/api-docs/secret/pki) so Consul controller and connect inject can fetch a new certificate/key pair and provide it to the Kubernetes `mutatingwebhookconfiguration`.
 
-    The path to the secret referenced in the `path` resource is the same value that you will configure in the  `global.secretsBackend.vault.controller.tlsCert.secretName` and `global.secretsBackend.vault.connectInject.tlsCert.secretName` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)).
+  The path to the secret referenced in the `path` resource is the same value that you will configure in the  `global.secretsBackend.vault.controller.tlsCert.secretName` and `global.secretsBackend.vault.connectInject.tlsCert.secretName` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)).
 
-    ```shell-session
-    $ vault policy write controller-tls-policy - <<EOF
-    path controller/issue/controller-role {
-      capabilities = ["create", "update"]
-    }
-    EOF
-    ```
+  ```shell-session
+  $ vault policy write controller-tls-policy - <<EOF
+  path controller/issue/controller-role {
+    capabilities = ["create", "update"]
+  }
+  EOF
+  ```
 
-    ```shell-session
-    $ vault policy write connect-inject-policy - <<EOF
-    path connect-inject/issue/connect-inject-role {
-      capabilities = ["create", "update"]
-    }
-    EOF
-    ```
+  ```shell-session
+  $ vault policy write connect-inject-policy - <<EOF
+  path connect-inject/issue/connect-inject-role {
+    capabilities = ["create", "update"]
+  }
+  EOF
+  ```
 
 1. Create a policy that allows `["read"]` access to the [CA URL](/vault/api-docs/secret/pki#read-certificate),
 this is required for the Consul components to communicate with the Consul servers in order to fetch their auto-encryption certificates.
 
-    The path to the secret referenced in the `path` resource is the same values that you will configure in the  `global.secretsBackend.vault.controller.caCert.secretName` and `global.secretsBackend.vault.connectInject.caCert.secretName` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)).
+  The path to the secret referenced in the `path` resource is the same values that you will configure in the  `global.secretsBackend.vault.controller.caCert.secretName` and `global.secretsBackend.vault.connectInject.caCert.secretName` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)).
 
-    ```shell-session
-    $ vault policy write controller-ca-policy - <<EOF
-    path controller/cert/ca {
-      capabilities = ["read"]
-    }
-    EOF
-    ```
+  ```shell-session
+  $ vault policy write controller-ca-policy - <<EOF
+  path controller/cert/ca {
+    capabilities = ["read"]
+  }
+  EOF
+  ```
 
-    ```shell-session
-    $ vault policy write connect-inject-ca-policy - <<EOF
-    path connect-inject/cert/ca {
-      capabilities = ["read"]
-    }
-    EOF
-    ```
+  ```shell-session
+  $ vault policy write connect-inject-ca-policy - <<EOF
+  path connect-inject/cert/ca {
+    capabilities = ["read"]
+  }
+  EOF
+  ```
 
 1. Configure allowed domains for PKI certificates.