Hi everyone.
I’m currently struggling with my first consul prod-deployment ever and some unclarities in the consul deployment guide.
My setup is about 6 nodes. 3 of that, I want to take over some central cluster service roles and being the Consul servers. The other three will be the first three “work-horses” of the platform and host the applications and be consul clients.
For the consul servers, the instructions are quite clear.
For the clients … not so much.
My plan is to use “Auto encryption”. In “Create the certificates” section it’s where it begins to be unclear to me:
- It says: “First, for your Consul servers, use the following command to create a certificate for each server.”. So: not for the clients, since “servers” is explicitly written.
- Next it says: " The Consul client agents will only need the the CA certificate,
consul-agent-ca.pem
, to enable mTLS.". So again: It confirms that the clients only need the CA certificate, not the DC certificates. - But then, with the very next section “Distribute the certificates to agents”, it says: “You must distribute the CA certificate,
consul-agent-ca.pem
, to each of the Consul agents as well as the agent specific certificate and private key.”. So, from here, it says that one must copy all node specific certs in addition to the CA certificate, which is the opposite of what was explained before. - This is once more confirmed in the TLS configuration - Section. Even though “Auto encryption” guide is selected, the
consul.hcl
snipplet lists not onlyca_file
, butcert_file
andkey_file
parameters as well “for Consul clients”. The only difference between “Auto” and “Manual” seems to be theauto_encrypt
nested section. Which again seems to be the opposite of the “CA cert only” statement and the entire Auto encryption idea. - Regarding that
auto_encrypt
nexted section, the consul Security guide brings another unclear element onto the table: in Configure the clients section, it says to configure the clients by indeed setting theca_file
option only, but instead ofauto_encrypt { allow_tls = true }
to setauto_encrypt { tls = true }
instead.
This all results in confusing me completely.
What will I have to do now, on server and client side, to embrace TLS auto encryption? The official docs seem to not be too sure themselves …