New to KubeVault? Please start here.
In the Consul storage backend, Vault data will be stored in the consul storage container. Vault documentation for Consul storage backend can be found in here
apiVersion: kubevault.com/v1alpha1 kind: VaultServer metadata: name: vault namespace: demo spec: replicas: 1 version: "1.2.0" serviceTemplates: - alias: vault metadata: annotations: name: vault spec: type: NodePort backend: consul: address: "http://my-service.demo.svc:8500" path: "vault" unsealer: secretShares: 4 secretThreshold: 2 mode: kubernetesSecret: secretName: vault-keys
If you need to disable the server from executing the
mlock syscall, you can provide disable_mlock in a ConfigMap and mention the name in
apiVersion: v1 kind: ConfigMap metadata: name: extra-config namespace: demo data: vault.hcl: | disable_mlock = true
To use Consul as a storage backend, first, we need to deploy Consul. Documentation for deploying Consul in Kubernetes can be found here. Below is an example yaml for deploying Consul suitable for demo purposes:
apiVersion: v1 kind: Pod metadata: name: consul-example namespace: demo labels: app: consul spec: containers: - name: example image: "consul:latest" restartPolicy: Never --- kind: Service apiVersion: v1 metadata: name: my-service namespace: demo spec: selector: app: consul ports: - protocol: TCP port: 8500 type: NodePort
spec: backend: consul: address: <address_of_consul_agent> checkTimeout: <check_interval> consistencyMode: <consul_consistency_mode> disableRegistration: <disable_registration> maxParallel: <max_number_of_concurrent_request> path: <key-value_store_path> scheme: <scheme_type> service: <service_name> serviceTags: <list_of_tags> serviceAddress: <service_specific_address> aclTokenSecretName: <aclToken_secret_name> sessionTTL: <minimum_allowed_session_TTL> lockWaitTime: <time_before_lock_acquisition> tlsSecretName: <secret_name> tlsMinVersion: <minimum_TLS_version> tlsSkipVerify: <boolean_value>
Here, we are going to describe the various attributes of the
Specifies the address of the Consul agent to communicate with. This can be an IP address, DNS record, or Unix socket. It is recommended that you communicate with a local Consul agent; do not communicate directly with a server.
spec: backend: consul: address: "127.0.0.1:8500"
Specifies the check interval used to send health check information back to Consul. This is specified using a label suffix like “30s” or “1h”
spec: backend: consul: checkTimeout: "5s"
Specifies the Consul consistency mode. Possible values are “default” or “strong”.
spec: backend: consul: consistencyMode: "default"
Specifies whether Vault should register itself with Consul.
spec: backend: consul: disableRegistration: "false"
Specifies the maximum number of concurrent requests to Consul.
spec: backend: consul: maxParallel: "128"
Specifies the path in Consul’s key-value store where Vault data will be stored.
spec: backend: consul: path: "vault"
Specifies the scheme to use when communicating with Consul. This can be set to “http” or “https”. It is highly recommended you communicate with Consul over https over non-local connections. When communicating over a Unix socket, this option is ignored.
spec: backend: consul: scheme: "http"
Specifies the name of the service to register in Consul.
spec: backend: consul: service: "vault"
Specifies a comma-separated list of tags to attach to the service registration in Consul.
spec: backend: consul: serviceTags: ""
Specifies a service-specific address to set on the service registration in Consul. If unset, Vault will use what it knows to be the HA redirect address - which is usually desirable. Setting this parameter to
"" will tell Consul to leverage the configuration of the node the service is registered on dynamically.
spec: backend: consul: serviceAddress: ""
Specifies the secret name that contains ACL token with permission to read and write from the path in Consul’s key-value store. ACL Token should be stored in
spec: backend: consul: aclTokenSecretName: aclcred
apiVersion: v1 kind: Secret metadata: name: aclcred namespace: demo data: aclToken: |- ZGF0YQ==
Specifies the minimum allowed session TTL. The consul server has a lower limit of 10s on the session TTL by default. The value of session_ttl here cannot be lesser than 10s unless the session_ttl_min on the consul server’s configuration has a lesser value.
spec: backend: consul: sessionTTL: "15s"
Specifies the wait time before a lock acquisition is made. This affects the minimum time it takes to cancel a lock acquisition.
spec: backend: consul: lockWaitTime: "15s"
Specifies the secret name that contains tls_ca_file, tls_cert_file and tls_key_file for consul communication.
spec: backend: consul: tlsSecretName: tls
apiVersion: v1 kind: Secret metadata: name: tls namespace: demo data: ca.crt: eyJtc2ciOiJleGFtcGxlIn0= client.crt: eyJtc2ciOiJleGFtcGxlIn0= client.key: eyJtc2ciOiJleGFtcGxlIn0=
Specifies the minimum TLS version to use. Accepted values are “tls10”, “tls11” or “tls12”.
spec: backend: consul: tlsMinVersion: "tls12"
Disable verification of TLS certificates. Using this option is highly discouraged. It is a
boolean type variable.
spec: backend: consul: tlsSkipVerify: false