Store Key Value consul or Vault?

For both products has the feature KV.
For purpose storage variables, whats the indicate? consul or vault?

I need load the values in my application, I will use consul-template for load variables in my environment with vault?


as far as I understand:

Vault for secrets.
Consul for configuration values.

Vault with Consul backend means something like Nomad can fetch config and/or secrets from the Consul kv store.

Vault with Raft backend would mean something like Nomad will have to talk directly to the Vault servers to fetch the secrets and talk to Consul for config KV.

(how the config params get into Consul in the first place, is orthogonal to this discussion, I think)

*** I will love to see someone from HashiCorp weigh in on this, as I too am curious about the optimum configuration, in case someone is using HashiStack (Vault + Consul + Nomad)

1 Like

Any vault secrets stores in a consul backend will be encrypted so Nomad will need to talk to vault to obtain the secret values.

In terms of general configuration values, yes nomad could talk directly to consul. I would strongly advise that a consul KV store be deployed separately to the vault backend as a different unrelated cluster to shorten the attack surface.

So in terms of using the HashiStack, Nomad has native integration with Consul connect. One just needs to add to the nomad configuration and it will work.

In terms of Vault, again, it has native integration, one just needs to add the vault stanza to the nomad config. This will allow the passing of secrets to workloads. We have some documentation for this.

Vault integration:

Using Vault for jobs:

Consul connect:

Hope this helps :slight_smile:

1 Like

I wish there was a 10,000 foot view of Vault+Consul+Nomad, where it could be clear that the Consul backend for the Vault servers is (OR is not) to be mixed with the Consul cluster which Nomad is hooked into.

something like the following, but with Vault thrown into the mix! :grinning:


1 Like