Consul + Patroni + Vault

We are looking at using Patroni, which offers great cross-DC avaialbility and failover.
One of the options is to store config data in Consul.

The issue is of course PASSWORDS.

We also have Vault, but in this case, things “Seem backwards”

We could use Consul Template to post render changes including the password, but we’d rather have Consul directly pull via some embed tag the password from vault. Does such a plugin exist? Suggestions?

Which passwords? If for the user postgres, replication and maybe pg_rewind it won’t be possible but using consul-template. I know for passwords in the patroni.yaml it’s only possible to use plain-text or environment variables (e.g. in the systemd unit file).

If you want to use Vault for the application accounts, you should use the dynamic secrets:

EDIT: Now I see what yo want to achieve.
Not the whole configuration of Patroni is stored in the dcs. I have spent lots of hours getting familiar with Patroni and the dynamic configuration in dcs, file or environment variables, and trust me, only cluster related things are stored in consul. If you keep the whole configuration in dcs the configuration is the same on every node and you’ll have to restart every Patroni on every node instead of having kind of freedom to configure and reload them one by one.
The documentation is not that clear for this use case:

I’m Mike’s co-worker. My goal was to build an adjunct user management tool along side patroni using the existing consul cluster. Sadly, the dynamic secrets engine doesn’t meet our needs, and I want to keep this as much within the existing environment as possible. It seemed like a great marriage to have the consul kv store point to vault secrets, but I’ll work around it.