Store Key Value consul or Vault?

afonsoaugusto · August 29, 2020, 8:35pm

For both products has the feature KV.
For purpose storage variables, whats the indicate? consul or vault?

I need load the values in my application, I will use consul-template for load variables in my environment with vault?

Thank’s

shantanugadgil · August 31, 2020, 4:57pm

as far as I understand:

Firstly:
Vault for secrets.
Consul for configuration values.

Secondly:
Vault with Consul backend means something like Nomad can fetch config and/or secrets from the Consul kv store.

Vault with Raft backend would mean something like Nomad will have to talk directly to the Vault servers to fetch the secrets and talk to Consul for config KV.

(how the config params get into Consul in the first place, is orthogonal to this discussion, I think)

*** I will love to see someone from HashiCorp weigh in on this, as I too am curious about the optimum configuration, in case someone is using HashiStack (Vault + Consul + Nomad)

DevOpsRob · September 10, 2020, 7:31am

Any vault secrets stores in a consul backend will be encrypted so Nomad will need to talk to vault to obtain the secret values.

In terms of general configuration values, yes nomad could talk directly to consul. I would strongly advise that a consul KV store be deployed separately to the vault backend as a different unrelated cluster to shorten the attack surface.

DevOpsRob · September 10, 2020, 8:16am

So in terms of using the HashiStack, Nomad has native integration with Consul connect. One just needs to add to the nomad configuration and it will work.

In terms of Vault, again, it has native integration, one just needs to add the vault stanza to the nomad config. This will allow the passing of secrets to workloads. We have some documentation for this.

Vault integration: Vault Integration | Nomad | HashiCorp Developer

Using Vault for jobs: vault Block - Job Specification | Nomad | HashiCorp Developer

Consul connect: Consul Service Mesh | Nomad | HashiCorp Developer

Hope this helps

shantanugadgil · September 10, 2020, 9:38am

I wish there was a 10,000 foot view of Vault+Consul+Nomad, where it could be clear that the Consul backend for the Vault servers is (OR is not) to be mixed with the Consul cluster which Nomad is hooked into.

something like the following, but with Vault thrown into the mix!

OR