Feature: Vault integration for consul TLS / gossip key #2209
Labels
theme/consul-vault
Relating to Consul & Vault interactions
theme/operator-usability
Replaces UX. Anything related to making things easier for the practitioner
theme/tls
Using TLS (Transport Layer Security) or mTLS (mutual TLS) to secure communication
type/enhancement
Proposed improvement or new feature
Milestone
Comments
slackpad
added
the
theme/operator-usability
hanshasselberg
added
the
theme/tls
|
Noting that the chicken/egg is less likely now as Vault has its own built-in consul leader and storage mechanism. |
|
Our recommendation for users on K8s is to use the Vault Secrets Backend: https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/vault. For VMs, you could also utilize the KV store and PKI to help with TLS (example) and storage of Consul specific credentials. Will go ahead and close, but please file additional feature requests with more details to help us better understand which use cases to consider. |
Dmitry-Eremeev
pushed a commit
to Dmitry-Eremeev/consul
that referenced
this issue
Oct 16, 2024
To use the feature we need to set the following options in config file: use_vault = true vault_address = http://<IP_ADDRESS:<IP_PORT> vault_role_id = <ROLE_ID> vault_secret_id = <SECRET_ID> vault_secret_path = <deployments/unit/dev/user/passwords_yml> vault_secret_mount_path = <secret_v2> credential_name_in_vault_secret = <consul_encrypt> hashicorp#2209 hashicorp#4685 hashicorp#5043
Dmitry-Eremeev
added a commit
to Dmitry-Eremeev/consul
that referenced
this issue
Nov 13, 2024
To use the feature we need to set the following options in config file: use_vault = true vault_address = http://<IP_ADDRESS:<IP_PORT> vault_role_id = <ROLE_ID> vault_secret_id = <SECRET_ID> vault_secret_path = <deployments/unit/dev/user/passwords_yml> vault_secret_mount_path = <secret_v2> credential_name_in_vault_secret = <consul_encrypt> hashicorp#2209 hashicorp#4685 hashicorp#5043
Dmitry-Eremeev
added a commit
to Dmitry-Eremeev/consul
that referenced
this issue
Nov 13, 2024
To use the feature we need to set the following options in config file: use_vault = true vault_address = http://<IP_ADDRESS:<IP_PORT> vault_role_id = <ROLE_ID> vault_secret_id = <SECRET_ID> vault_secret_path = <deployments/unit/dev/user/passwords_yml> vault_secret_mount_path = <secret_v2> credential_name_in_vault_secret = <consul_encrypt> hashicorp#2209 hashicorp#4685 hashicorp#5043
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Consul requires certain encryption keys and CA infrastructure. This would be conveniently stored in a Vault instance, this this feature request is to allow Consul to fetch its gossip key and TLS keys out of Vault.
This does create a chicken/egg when using Consul as a back-end to Vault, so the consul 'servers' would generally need to rely on a different 'non-consul' version of Vault, while the rest of the environment uses a consul-ized vault.
The text was updated successfully, but these errors were encountered: