Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: Notes about WAN Federation when using Vault as Connect CA #11143

Merged
merged 8 commits into from
Nov 29, 2021
Merged

docs: Notes about WAN Federation when using Vault as Connect CA #11143

merged 8 commits into from
Nov 29, 2021

Conversation

david-yu
Copy link
Contributor

@david-yu david-yu commented Sep 24, 2021
edited by dnephin
Loading

Closes #11684

Added details to intermediate_pki_path and root_pki_path options.

@david-yu david-yu requested a review from blake September 24, 2021 16:57
@david-yu david-yu requested a review from a team as a code owner September 24, 2021 16:57
@github-actions github-actions bot added the type/docs Documentation needs to be created/updated/clarified label Sep 24, 2021
@hashicorp-ci
Copy link
Contributor

🤔 This PR has changes in the website/ directory but does not have a type/docs-cherrypick label. If the changes are for the next version, this can be ignored. If they are updates to current docs, attach the label to auto cherrypick to the stable-website branch after merging.

@david-yu david-yu added pr/no-changelog PR does not need a corresponding .changelog entry type/docs-cherrypick labels Sep 24, 2021
dnephin
dnephin reviewed Sep 27, 2021
View reviewed changes
Copy link
Contributor

@dnephin dnephin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for improving these docs!

I believe these constraints exist for both WAN fed "modes" (WAN-fed and WAN-fed over mesh gateway), right? Also I think it might be worth clarifying that currently all DCs must point at the same Vault cluster. That was my assumption, and these docs edits appear to confirm that.

I believe these docs updates are correct for the current implementation, I do wonder if these limitations are actually a bug. I believe I remember @banks saying something a while ago about it should be possible for each DC to use a separate Vault cluster.

I looked at the code, and it does seem like it should be possible for secondary DCs to use separate Vault clusters with a few small code changes, and I believe we've heard reports of users wanting to do that very thing on multiple occasions. I'll bring up that issue with the team to see how we should proceed.

website/content/docs/connect/ca/vault.mdx Outdated Show resolved Hide resolved
website/content/docs/connect/ca/vault.mdx Outdated Show resolved Hide resolved
@vercel vercel bot temporarily deployed to Preview – consul-ui-staging September 27, 2021 19:03 Inactive
@vercel vercel bot temporarily deployed to Preview – consul-ui-staging September 27, 2021 19:44 Inactive
trujillo-adam
trujillo-adam approved these changes Oct 8, 2021
View reviewed changes
Copy link
Contributor

@trujillo-adam trujillo-adam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a few suggestions

website/content/docs/connect/ca/vault.mdx Outdated Show resolved Hide resolved
website/content/docs/connect/ca/vault.mdx Outdated Show resolved Hide resolved
@dnephin
Copy link
Contributor

dnephin commented Nov 29, 2021

I believe this PR will address #11684

@vercel vercel bot temporarily deployed to Preview – consul-ui-staging November 29, 2021 20:20 Inactive
@vercel vercel bot temporarily deployed to Preview – consul-ui-staging November 29, 2021 20:21 Inactive
@vercel vercel bot temporarily deployed to Preview – consul-ui-staging November 29, 2021 20:21 Inactive
@vercel vercel bot temporarily deployed to Preview – consul-ui-staging November 29, 2021 20:31 Inactive
@david-yu david-yu merged commit 29c791c into main Nov 29, 2021
@david-yu david-yu deleted the david-yu-patch-5 branch November 29, 2021 20:37
@hc-github-team-consul-core
Copy link
Collaborator

🍒 If backport labels were added before merging, cherry-picking will start automatically.

To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/510852.

@hc-github-team-consul-core
Copy link
Collaborator

🍒❌ Cherry pick of commit 29c791c onto stable-website failed! Build Log

@hc-github-team-consul-core
Copy link
Collaborator

🍒❌ Cherry pick of commit 29c791c onto release/1.10.x failed! Build Log

@GordonMcKinney GordonMcKinney mentioned this pull request Nov 29, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dnephin dnephin dnephin left review comments

@trujillo-adam trujillo-adam trujillo-adam approved these changes

@blake blake Awaiting requested review from blake

Assignees
No one assigned
Labels
pr/no-changelog PR does not need a corresponding .changelog entry type/docs Documentation needs to be created/updated/clarified
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vault CA requires a unique IntermediatePKIPath for each Datacenter
5 participants
@david-yu @hashicorp-ci @dnephin @hc-github-team-consul-core @trujillo-adam