New Learn Collection: Secure Consul with Vault Integrations

Hello there,

we published a new tutorial collection for Consul that will help you introduce Vault in your datacenter deployment and help with secret management.

In the tutorials you will find detailed steps for:

• Automatically Rotate Gossip Encryption Keys Secured in Vault
• Generate mTLS Certificates for Consul with Vault
• Administer Consul Access Control (ACL) Tokens with Vault

and the opportunity to improve your knowledge on Vault Secret Engines and how to Build Your Own Certificate Authority (CA) using Vault.

They all have an interactive lab attached so you do not need to install anything on your machine to test them out.

Spoiler alert!!! You are going to use consul-template to automate the process.

One question: what about the initial encrypt parameter in the configuration file?

To enable gossip on a new datacenter, you will add the encryption key parameter to the agent configuration file and then pass the file at startup with the -config-dir flag.

Is this obsolete, and if not, if the primary key is rotated, and the old ones are deleted, and Consul is restarting, how is the configuration entry handled?

You can either configure the initial encryption key in the configuration file under the encrypt parameter in configuration or using the -encrypt CLI flag.

That is used to join the gossip pool at first startup and in a default configuration setting will be ignored once the key gets rotated, meaning that the node will use the new key that gets automatically distributed to all live agents during the rotation.

The key will be stored on each agent local keyring file at <data_dir>/serf/local.keyring and that file will have priority over the config or CLI parameter.

If you set disable_keyring_file to true in configuration then the agent will not store the keys in a keyring file and you will need to pass a valid gossip key on agent restarts.

The same will happen in case you remove the client data directory before restart.

The tutorial wanted to demonstrate all the steps needed “from 0 to key rotation”, another option if you do not want to generate the initial key and pass it to the clients is to use auto_config. This will take care of the key creation and distribution for you but will not yet rotate it and you will have to use the consul keyring command to do it.

Hope this helps.

Thanks for your detailed explanation!