I was wondering if a custom CA for Raft storage communication is recommended. I am referring to the options
leader-client-key that can be specified when running
vault operator raft join or in the
retry_join block in Vault’s config.
HashiCorp tutorials and docs don’t mention the above options for integrated storage as far as I could see (except that they exist). On this docs page, it says:
Once nodes are joined to one another they begin to communicate using mTLS over Vault’s cluster port. The cluster port defaults to
8201. The TLS information is exchanged at join time and is rotated on a cadence.
What’s the benefit of the options above then? Ensuring authenticity at join time? As I understand, the unseal keys are used as authentication when joining a Raft node to the cluster. I suppose an attacker that has the unseal keys could get all secrets by joining the cluster if no custom CA is used. However, if an attacker has the unseal keys, he could mint a new root token and access secrets anyways.