Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix formatting for webhook-certs Consul tutorial #17810

Merged
merged 4 commits into from
Jun 20, 2023
Merged

Fix formatting for webhook-certs Consul tutorial #17810

Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3944380
Fix formatting for webhook-certs Consul tutorial
stevenzamborsky Nov 18, 2022
ddcee84
Merge branch 'main' into docs/webhook-certs-tutorial-fixes
stevenzamborsky Jun 20, 2023
d65060e
Merge branch 'main' into docs/webhook-certs-tutorial-fixes
Jun 20, 2023
fb600b4
Make a small grammar change to also pick up whitespace changes necess…
stevenzamborsky Jun 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions ...ent/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,9 @@ In a Consul Helm chart configuration that does not use Vault, `webhook-cert-mana

When Vault is configured as the controller and connect inject Webhook Certificate Provider on Kubernetes:
- `webhook-cert-manager` is no longer deployed to the cluster.
- controller and connect inject each get their webhook certificates from its own Vault PKI mount via the injected Vault Agent.
- controller and connect inject each need to be configured with its own Vault Role that has necessary permissions to receive certificates from its respective PKI mount.
- controller and connect inject each locally update its own `mutatingwebhookconfiguration` so that Kubernetes can relay events.
- Controller and connect inject each get their webhook certificates from its own Vault PKI mount via the injected Vault Agent.
- Controller and connect inject each need to be configured with its own Vault Role that has necessary permissions to receive certificates from its respective PKI mount.
- Controller and connect inject each locally update its own `mutatingwebhookconfiguration` so that Kubernetes can relay events.
- Vault manages certificate rotation and rotates certificates to each webhook.

To use Vault as the controller and connect inject Webhook Certificate Provider, we will need to modify the steps outlined in the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) section:
Expand Down Expand Up @@ -112,6 +112,7 @@ this is required for the Consul components to communicate with the Consul server
}
EOF
```

1. Configure allowed domains for PKI certificates.

```shell-session
Expand Down Expand Up @@ -153,10 +154,10 @@ this is required for the Consul components to communicate with the Consul server

1. Finally, Kubernetes auth roles need to be created for controller and connect inject webhooks.


The path to the secret referenced in the `path` resource is the same values that you will configure in the `global.secretsBackend.vault.controllerRole` and `global.secretsBackend.vault.connectInjectRole` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)).

Role for Consul controller webhooks:

```shell-session
$ vault write auth/kubernetes/role/controller-role \
bound_service_account_names=<Consul controller service account> \
Expand Down