For a full hashicorp stack, the guides and docs recommend that for production consul and vault deployments, they should talk to each other encrypted, and to benefit from the security of automatic key rotations, vault should be used as the certificate authority.
What is the recommended way to get consul, vault, and nomad securely communicating with each other, with the benefit of automatic key rotation, from initiation?
So far this question doesn’t have a simple answer, as the documentation avoids answering it
for the sake of simplicity.
So far the options seem to be:
Without Automatic Key Rotation
Manually generating certs with terraform tls provider
- use terraform tls provider to generate the tls certs
- configure and boot consul, vault, nomad with the certs
Seems until v0.14 is out which supports a
sensitiveflag, this is insecure
Manually generating certs from Vault
- boot vault
2 generate certs from vault
- reconfigure vault, and configure consul and nomad to use these certs
- reboot vault, and boot consul and nomad
Manually generating certs from Consul
- boot consul
- generate certs from consul
- reconfigure consul, and configure vault and nomad to use these certs
- reboot consul, and boot vault and nomad
With Automatic Key Rotation
I just can’t seem to find instructions for this. All the instructions seem to be related to Consul Certificate Authority, which is only used automatically (with automatic key rotation) for Consul Connect, which Consul Connect is just used to secure the communication between apps, not the actual consul/vault/nomad services.
I really hope that there becomes a way to boot consul, nomad, and vault, with all of them just using either Consul or Vault as the certificate authority, and able to secure themselves automatically with TLS cert rotation.
What is essentially needed is fo rthe
auto_encrypt flag to be extended to auto_encrypt not just the consul clients, but also the consul servers, as well as vault and nomad agents (clients+servers).
All the hashicorp products tout features that should make things extremely secure, yet the actual software doesn’t know how to use them.