Vault PKI and Consul TLS #813
Comments
|
Hi Eric, It's the same chicken-and-egg problem for people who want to use Vault-issued server certificates to protect Vault :-D If you're initially using the certs for just encryption, not authentication, one method would be to simply make a separate temporary CA (using Unfortunately there's no really good answer. However, I do recommend posting this type of question to the |
|
Hey Jeff, as always, thank you for your help. We kind of landed on for now we will just use the same intermediate to manually sign the certificates, load them on the servers, and then later look into making them roll just like the clients. But that was the goal to make everyone require the lease renewal on the entire system. I think for now we are OK with the server side being longer lasting ones and a somewhat manual process. Thanks for giving me the google group. I intended to post this elsewhere (github isn't necessarily the right place) but wasn't sure where your group was. I will post there from now on. |
|
No problem -- glad to help! |
|
I've been surprised at how difficult it has been to try and setup a production ready combination of vault, consul, and nomad using terraform. The documentation has been very sparse for production configurations, especially for securing each with TLS. It seems natural to assume, that considering all these are hashicorp products, that it would be as easy as turning on a configuration option, or using a pre-given template. It's great these tools exist, but right now, figuring out how to implement these tools, seems to be nearly all on the user. It would be great if there was a terraform ability for vault, or a pure vault option, for the vault initialisation process to initialise itself, generate a TLS cert for itself, then use that cert - either all done within the vault instance, or have the cert written to disk and the config updated and instance rebooted. The same should apply for Consul and Nomad, there should be flags for them to use vault for their TLS. |
|
I know this is an old post, but I have come across the same issue. my solution was to have "genesis" server. this genesis server has a vault instance installed and PKI configured with certs that were generated outside of vault. The genesis server is used to bootstrap the main vault cluster that will supply certs to the consul cluster, and nomad cluster, along with whatever else needs certs. I'm working my way through all the pieces but as @balupton said, the docs are a bit sparse on orchestrating all the pieces together. |
|
@juankakode for what it's worth, https://github.com/bevry/terraform-scaleway-hashistack has all my progress in there From what I can tell, I made it further than anybody else did in the open-source world. However even still, I ended up giving up. More details at bevry-labs/terraform-scaleway-hashistack#12 I would love for this to be resolved, but until Hashicorp does something, it requires a few more weeks (or more!) of effort that I can not afford to work on at this point in time (as my efforts on this are from my own pocket). |
|
Hi, just wondering, has someone tried to setup a PKI with Vault as Intermediate CA and with Windows Certificate Services acting as the Root CA? |
|
@balupton thanks I'll take a look, |
My team is trying design a system where we primarily use TLS throughout and wanted to leverage Vault's PKI. The conundrum we hit is how can you use a Consul-backed Vault to provide the TLS certs for Consul (Chicken and Egg problem)? We want Consul to follow the same guidelines as everything else on the system but wasn't sure what that would take to get it going. Do we just need to manually generate the certs for Consul and have them never expire and use the same CA to initialize the PKI for other certs or is there some other way?
The text was updated successfully, but these errors were encountered: