[Vault Agent] Vault Agent address with auto join method

petrukngantuk1 · May 11, 2022, 4:10am

Does the vault agent mode support cloud auto join like in consul auto join method?

basically, because we have consul cluster (server and client) that depend on vault to get the gossip, tls, etc from the vault,
I our case so we can’t use the consul dns for service discovery, and we didn’t want to add domain / load balancer in front of vault,
so the option in our mind is to use cloud auto join, does vault agent support this options?

maxb · May 11, 2022, 6:40am

No, it doesn’t.

“Agent” means different things to Vault vs. Consul. Vault agents do not “join” clusters.

Technically, I suppose the discovery principles used in GitHub - hashicorp/go-discover: Discover nodes in cloud environments could be used for service discovery, but it would be slow to respond to node failures, and isn’t something that’s currently implemented.

petrukngantuk1 · May 11, 2022, 6:57am

so we create something like cronjob related that use the go-discover, and do live update in the vault address config?

maxb · May 11, 2022, 8:09am

I wouldn’t recommend it, as I think it would be too fragile, but it’s technically possible.

I don’t think Vault agent supports live updates to the Vault URL though… In which case you would need to restart it… Which would cause more issues. It doesn’t seem like a promising direction to me.

petrukngantuk1 · May 11, 2022, 8:42am

any other method you would recommend us?

because we faced this circular dependency issue?

maxb · May 11, 2022, 9:10am

Use either a load-balancer or a DNS-based service discovery system (such as Consul - perhaps second tiny deployment with no runtime dependency on Vault), to provide a URL at which Vault can be reached without hard-coding the address of a specific Vault node into the Vault agent configuration.

aram · May 11, 2022, 10:39am

That’s a bad idea, you’re making a single instance the fault point and basically undoing any HA that a simple cluster gives you. Why don’t you want to add a load balancer?

petrukngantuk1 · May 12, 2022, 2:51am

@aram we didn’t want to have footprint of our vault server address in DNS, especially for a threat actor… as we can’t do whitelisting because we want our client node (nomad + consul + vault client) to connect it with public network.

aram · May 12, 2022, 6:30am

@petrukngantuk1 I’m not sure who came up with those as remedies but I’m sorry to say they make absolutely no sense whatsoever. I’m lost for words. I would highly suggest you seek a consultant to help you mitigate your decisions as you’re just setting yourself up for a major breach and disaster.

petrukngantuk1 · June 10, 2022, 3:14am

@aram yeah, thanks for the advice,
will use load balancer in front of it, as defined in the vault production ready readiness documents,

Thank You for your guideline