Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for Vault as a secrets backend #904

Merged
merged 21 commits into from
Dec 7, 2021
Merged

Add support for Vault as a secrets backend #904

merged 21 commits into from
Dec 7, 2021

Conversation

kschoche
Copy link
Contributor

@kschoche kschoche commented Dec 7, 2021
edited
Loading

Changes proposed in this PR:

  • Add support for Vault as a secrets backend for gossip-encryption, Server TLS certificates and mesh certificates.
  • This allows a user to bootstrap their Consul cluster with Vault secrets, removing the use of Kubernetes secrets for the supported features.
  • Autoencrypt is required.

How I've tested this PR:
Acceptance Tests, unit tests and manual testing.

How I expect reviewers to test this PR:
Code review 👀
It would be fantastic to pay extra attention to the fields in values.yaml as that will serve as a baseline for documentation for users.
All commits in consul-vault-base are part of the feature-branch and have already been reviewed.

TODO: Add changelog entries, resolve merge issues and add a gist with testing steps for manual testing.

Checklist:

  • Tests added
  • CHANGELOG entry added

    HashiCorp engineers only, community PRs should not add a changelog entry.
    Entries should use present tense (e.g. Add support for...)

kschoche and others added 15 commits October 20, 2021 21:16
@kschoche
test
92a5a4f
@kschoche
test
8171ec5
@kschoche
change something
3ba20ec
@kschoche
clean this up
3a0f5a3
@kschoche
remove interface and make bootstrap part of Create
08daf43
@kschoche
clean up the framework a bit
a7ad878
@kschoche @ishustava
Apply suggestions from code review
d0de8e6 
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
@kschoche
review comments
da47c6e
@kschoche
fix lint
400fda6
@kschoche
Merge branch 'vault-acceptance-base' into consul-vault-base
3808657
@kschoche
Merge branch 'main' into consul-vault-base
01e9974
@kschoche @ishustava
Bootstrap gossip encryption with Vault (#811)
80102a5 
* Add base bootstrapping logic and acceptance tests for gossip encryption in Vault

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
@ishustava
Add configuration for the vault Connect CA provider (#872)
9c515aa
@ishustava
Support Vault server running with TLS (#874)
84f1a8e 
* Change vault cluster in acceptance tests to only run with TLS. All tests will run against vault with TLS because that is the use case we think will be the most valuable for users to test
* Support adding Vault CA as a secret to pods that will be using vault agent. We need to add two annotations to pods:
      * vault.hashicorp.com/agent-extra-secret with the value of the vault CA secret name. The secret will be mounted to vault agent at /vault/custom path. See docs here
      * vault.hashicorp.com/ca-cert - with the path of the ca file inside the vault agent container. This should be /vault/custom/<secret key>
* Most pods will only need those annotations. The server pods also need the Vault CA secret to be mounted as a volume because it needs the CA to be on the file system for the vault connect CA provider.
@kschoche @ishustava @lkysow
Server TLS bootstrapping (#881)
738d80e 
* Support Vault server running with TLS (#874)
* Change vault cluster in acceptance tests to only run with TLS. All tests will run against vault with TLS because that is the use case we think will be the most valuable for users to test
* Support adding Vault CA as a secret to pods that will be using vault agent. We need to add two annotations to pods:
      * vault.hashicorp.com/agent-extra-secret with the value of the vault CA secret name. The secret will be mounted to vault agent at /vault/custom path. See docs here
      * vault.hashicorp.com/ca-cert - with the path of the ca file inside the vault agent container. This should be /vault/custom/<secret key>
* Most pods will only need those annotations. The server pods also need the Vault CA secret to be mounted as a volume because it needs the CA to be on the file system for the vault connect CA provider.

* add terminating and ingress gateways TLS support (#894)
* Support TLS with vault for the server-acl-init job (#889)
* Support TLS with Vault for the sync catalog deployment (#890)
* Support server TLS with vault for the client snapshot agent deployment (#891)

Co-authored-by: Iryna Shustava <iryna@hashicorp.com>
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
@kschoche kschoche added the vault label Dec 7, 2021
@kschoche kschoche self-assigned this Dec 7, 2021
@kschoche kschoche marked this pull request as ready for review December 7, 2021 03:10
thisisnotashwin
thisisnotashwin approved these changes Dec 7, 2021
View reviewed changes
Copy link
Contributor

@thisisnotashwin thisisnotashwin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 ㊙️

@kschoche kschoche requested review from lkysow and t-eckert December 7, 2021 16:14
lkysow
lkysow approved these changes Dec 7, 2021
View reviewed changes
Copy link
Member

@lkysow lkysow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some suggestions.

CHANGELOG.md Outdated Show resolved Hide resolved
charts/consul/values.yaml Show resolved Hide resolved
charts/consul/values.yaml Outdated Show resolved Hide resolved
charts/consul/values.yaml Show resolved Hide resolved
charts/consul/values.yaml Outdated Show resolved Hide resolved
charts/consul/values.yaml Outdated Show resolved Hide resolved
kschoche and others added 2 commits December 7, 2021 14:28
@kschoche @lkysow
Apply suggestions from code review
adc71ca 
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
@kschoche @lkysow
Apply suggestions from code review
5df0004 
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
@kschoche kschoche merged commit 053af17 into main Dec 7, 2021
@kschoche kschoche deleted the consul-vault-base branch December 7, 2021 20:57
This was referenced Dec 7, 2021
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thisisnotashwin thisisnotashwin thisisnotashwin approved these changes

@lkysow lkysow lkysow approved these changes

@t-eckert t-eckert Awaiting requested review from t-eckert

Assignees

@kschoche kschoche

Labels
vault
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kschoche @lkysow @thisisnotashwin @ishustava