New to KubeVault? Please start here.
Consul
In the Consul storage backend, Vault data will be stored in the consul storage container. Vault documentation for Consul storage backend can be found in here
apiVersion: kubevault.com/v1alpha1
kind: VaultServer
metadata:
name: vault
namespace: demo
spec:
replicas: 1
version: "1.2.0"
serviceTemplates:
- alias: vault
metadata:
annotations:
name: vault
spec:
type: NodePort
backend:
consul:
address: "http://my-service.demo.svc:8500"
path: "vault"
unsealer:
secretShares: 4
secretThreshold: 2
mode:
kubernetesSecret:
secretName: vault-keys
If you need to disable the server from executing the mlock
syscall, you can provide disable_mlock in a ConfigMap and mention the name in spec.configSource.configMap.name
.
apiVersion: v1
kind: ConfigMap
metadata:
name: extra-config
namespace: demo
data:
vault.hcl: |
disable_mlock = true
To use Consul as a storage backend, first, we need to deploy Consul. Documentation for deploying Consul in Kubernetes can be found here. Below is an example yaml for deploying Consul suitable for demo purposes:
apiVersion: v1
kind: Pod
metadata:
name: consul-example
namespace: demo
labels:
app: consul
spec:
containers:
- name: example
image: "consul:latest"
restartPolicy: Never
---
kind: Service
apiVersion: v1
metadata:
name: my-service
namespace: demo
spec:
selector:
app: consul
ports:
- protocol: TCP
port: 8500
type: NodePort
spec.backend.consul
To use Consul as backend storage in Vault, we need to specify spec.backend.consul
in VaultServer CRD.
More information about the Consul backend storage can be found in here
spec:
backend:
consul:
address: <address_of_consul_agent>
checkTimeout: <check_interval>
consistencyMode: <consul_consistency_mode>
disableRegistration: <disable_registration>
maxParallel: <max_number_of_concurrent_request>
path: <key-value_store_path>
scheme: <scheme_type>
service: <service_name>
serviceTags: <list_of_tags>
serviceAddress: <service_specific_address>
aclTokenSecretName: <aclToken_secret_name>
sessionTTL: <minimum_allowed_session_TTL>
lockWaitTime: <time_before_lock_acquisition>
tlsSecretName: <secret_name>
tlsMinVersion: <minimum_TLS_version>
tlsSkipVerify: <boolean_value>
Here, we are going to describe the various attributes of the spec.backend.consul
field.
consul.address
Specifies the address of the Consul agent to communicate with. This can be an IP address, DNS record, or Unix socket. It is recommended that you communicate with a local Consul agent; do not communicate directly with a server.
spec:
backend:
consul:
address: "127.0.0.1:8500"
consul.checkTimeout
Specifies the check interval used to send health check information back to Consul. This is specified using a label suffix like “30s” or “1h”
spec:
backend:
consul:
checkTimeout: "5s"
consul.consistencyMode
Specifies the Consul consistency mode. Possible values are “default” or “strong”.
spec:
backend:
consul:
consistencyMode: "default"
consul.disableRegistration
Specifies whether Vault should register itself with Consul.
spec:
backend:
consul:
disableRegistration: "false"
consul.maxParallel
Specifies the maximum number of concurrent requests to Consul.
spec:
backend:
consul:
maxParallel: "128"
consul.path
Specifies the path in Consul’s key-value store where Vault data will be stored.
spec:
backend:
consul:
path: "vault"
consul.scheme
Specifies the scheme to use when communicating with Consul. This can be set to “http” or “https”. It is highly recommended you communicate with Consul over https over non-local connections. When communicating over a Unix socket, this option is ignored.
spec:
backend:
consul:
scheme: "http"
consul.service
Specifies the name of the service to register in Consul.
spec:
backend:
consul:
service: "vault"
consul.serviceTags
Specifies a comma-separated list of tags to attach to the service registration in Consul.
spec:
backend:
consul:
serviceTags: ""
consul.serviceAddress
Specifies a service-specific address to set on the service registration in Consul. If unset, Vault will use what it knows to be the HA redirect address - which is usually desirable. Setting this parameter to ""
will tell Consul to leverage the configuration of the node the service is registered on dynamically.
spec:
backend:
consul:
serviceAddress: ""
consul.aclTokenSecretName
Specifies the secret name that contains ACL token with permission to read and write from the path in Consul’s key-value store. ACL Token should be stored in data["aclToken"]=<value>
spec:
backend:
consul:
aclTokenSecretName: aclcred
apiVersion: v1
kind: Secret
metadata:
name: aclcred
namespace: demo
data:
aclToken: |-
ZGF0YQ==
consul.sessionTTL
Specifies the minimum allowed session TTL. The consul server has a lower limit of 10s on the session TTL by default. The value of session_ttl here cannot be lesser than 10s unless the session_ttl_min on the consul server’s configuration has a lesser value.
spec:
backend:
consul:
sessionTTL: "15s"
consul.lockWaitTime
Specifies the wait time before a lock acquisition is made. This affects the minimum time it takes to cancel a lock acquisition.
spec:
backend:
consul:
lockWaitTime: "15s"
consul.tlsSecretName
Specifies the secret name that contains tls_ca_file, tls_cert_file and tls_key_file for consul communication.
spec:
backend:
consul:
tlsSecretName: tls
apiVersion: v1
kind: Secret
metadata:
name: tls
namespace: demo
data:
ca.crt: eyJtc2ciOiJleGFtcGxlIn0=
client.crt: eyJtc2ciOiJleGFtcGxlIn0=
client.key: eyJtc2ciOiJleGFtcGxlIn0=
consul.tlsMinVersion
Specifies the minimum TLS version to use. Accepted values are “tls10”, “tls11” or “tls12”.
spec:
backend:
consul:
tlsMinVersion: "tls12"
consul.tlsSkipVerify
Disable verification of TLS certificates. Using this option is highly discouraged. It is a boolean
type variable.
spec:
backend:
consul:
tlsSkipVerify: false