-
Notifications
You must be signed in to change notification settings - Fork 321
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable snapshot agent configuration to be retrieved from vault #1113
Changes from all commits
ee0e9b9
e4e994e
3c756d4
b31597c
838241d
05b14a3
02f0604
2c498dd
066a1ac
7c72a7b
d52f584
a4ece5d
1038278
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -162,6 +162,16 @@ global: | |
# and check the name of `metadata.name`. | ||
consulClientRole: "" | ||
|
||
# [Enterprise Only] The Vault role for the Consul client snapshot agent. | ||
# The role must be connected to the Consul client snapshot agent's service account and | ||
# have a policy with read capabilities for the snapshot agent config defined by `client.snapshotAgent.configSecret.secretName`. | ||
# To discover the service account name of the Consul client, run | ||
# ```shell-session | ||
# $ helm template --show-only templates/client-snapshot-agent-serviceaccount.yaml --set client.snapshotAgent.enabled=true <release-name> hashicorp/consul | ||
# ``` | ||
# and check the name of `metadata.name`. | ||
consulSnapshotAgentRole: "" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. User has to set up a vault policy and auth role that maps the service account to the policy that has access to the snapshot agent config secret. Configuring it here will assign it in a vault annotation in the snapshot agent deployment so that the vault injector for the snapshot agent config will be authorized. |
||
|
||
# A Vault role to allow Kubernetes job that manages ACLs for this Helm chart (`server-acl-init`) | ||
# to read and update Vault secrets for the Consul's bootstrap, replication or partition tokens. | ||
# This role must be bound the `server-acl-init`'s service account. | ||
|
@@ -1274,9 +1284,9 @@ client: | |
# credentials present. Please see Snapshot agent config (https://consul.io/commands/snapshot/agent#config-file-options) | ||
# for details. | ||
configSecret: | ||
# The name of the Kubernetes secret. | ||
# secretName is the name of the Kubernetes secret or Vault secret path that holds the snapshot agentconfig. | ||
secretName: null | ||
# The key of the Kubernetes secret. | ||
# secretKey is the key within the Kubernetes secret or Vault secret key that holds the snapshot agentconfig. | ||
secretKey: null | ||
|
||
serviceAccount: | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we need to base64 decode it? Does vault kv engine not work with not-encoded config? Or does it encode it for you if similar to k8s secrets?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great question! Let me go back and check that I did not encode as part of the test set up.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I totally was. I used json.Marshall() and then saving that to Vault instead of wrapping that result in string() and then saving it. I have a PR with the acceptance test and made the modification there ...since I can test it. This is the commit: 634164a