Questions on Consul Template and Vault PKI certificate rotations

In my organization, our K8s cluster currently uses the Vault PKI engine.

  1. The current setup uses Vault Agent Sidecar (Init container) for K8s method of authentication and gets the initial token.

  2. This token is then used by the consul template (another init container) to get the certificates from Vault PKI and save it as file in a shared volume (of type: memory) which is then mounted to the app container.

  3. The consul template also sets the necessary environment variables for the app through a bash script which is created within the same consul template.

My questions are,
Once the TTL specified in the consul template elapses, does refreshed certificates automatically get pulled from Vault and saved as new file, if so how? Because, once the app container starts, the Init containers ends. How can I handle certificate rotations in this case?

How can I refresh the saved file with new certificates and make the app use the refreshed certificates?

Could you please point me to resources that will help us in identifying best practices to handle secret rotations via consul template?

My questions are,
Once the TTL specified in the consul template elapses, does refreshed certificates automatically get pulled from Vault and saved as new file, if so how? Because, once the app container starts, the Init containers ends. How can I handle certificate rotations in this case?

Consul-template is designed for use cases where it would wrap the running application in the main container. Then it could monitor the PKI certificate and pull down a new one, update the cert file and send a signal to (or restart) the application to reload it.
There might be other ways to do it depending on your setup, but that is the primary design mode for consul-template to run.

How can I refresh the saved file with new certificates and make the app use the refreshed certificates?

Consul-template can be used for this with Exec mode as I mentioned above. This is my best recommendation at this point, but there are others around that might have better options.

Could you please point me to resources that will help us in identifying best practices to handle secret rotations via consul template?

We don’t have any specific documentation on this use case, but most of our docs right now are reference materials. A quick googling came up with some possibilities which I’ll list below and I’m sure there’s more out there.

https://tekanaid.com/posts/consul-template-to-automate-certificate-management-for-hashicorp-vault-pki/
https://medium.com/hashicorp-engineering/certificates-issuing-and-renewal-with-vault-and-consul-template-18e766228dac

Sorry I couldn’t be of more help, but please feel free to ask any other/followup questions.

Thanks.

1 Like

Thanks for the detailed answers and suggestions. @eikenb

I do have one more question. When I was looking into the docs, I found that secret injections can also be done via annotations.

Are there any advantages of using annotations over consul template?

Also, are there any other modes of secret injection methods other than consul-templates?

I’m sorry but I’m not really sure of how annotations work, so can’t say for sure what their advantages might be.

I work on consul-template and was helping as I could with that knowledge, but I’m not super familiar with Vault in general and am not sure what the best. I do know there are several K8ts specific workflows for doing things with Vault. Here’s the link to the couple I was thinking of, but there might be more in that section that could help.

https://learn.hashicorp.com/tutorials/vault/kubernetes-secret-store-driver
https://learn.hashicorp.com/tutorials/vault/kubernetes-sidecar

I think this is what you’re looking for.