Vault and Consul Certificate Chicken and Egg

Question 1. In reading the Vault deployment guide - Vault with Consul Storage Deployment Guide | Vault - HashiCorp Learn it is recommending a Consul Storage Reference Architecture. I took this to mean it is best practice to use Consul as the storage backend - however reading the Vault docs it looks like that has perhaps changed to Integrated Storage. If I am not yet using Vault or Consul and Vault is my primary use case at this time should I just run Vault with integrated storage and enable Consul at a later date?

Question 2. If it is still good practice to use Consul I’m having a hard time determining the best approach regards TLS - as we have an internal PKI - I thought having internal CA signed certs would work but they are failing Consul cert verification on server.. as our cert is signed based on the hostname - I attempted to override that with the ‘server_name’ however that appears to be ignored - not working.

So I thought I would try to use the Consul CA - but in those docs it seems to suggest use Vault for the cert management - but without Consul currently I have no Vault.

Feeling a little bit like a dog chasing its tail in the docs and could use a little direction/best practice.

I think for now I will go the Vault Integrated Storage route - and add Consul at a later date as I said previously Vault is my primary use case and Consul seems like a ‘nice to have’ at this time - but still it would be helpful to understand the order.

Consul, used as a storage backend for Vault, is a very specific and niche use case for Consul.

In such an environment, I’d just put the Vault and Consul backend servers in a private network just for that, and not bother with TLS at all for the Consul cluster.

  1. It used to be that you didn’t have a choice in the matter. Consul was the best option and the only supported (enterprise support) option for organizations. Now you have a choice but they have many differences as well as many caveats to each decision. Your decision rely on several factors. Here is the basic table:
    Preflight Checklist - Migrating to Integrated Storage | Vault - HashiCorp Learn
    The other considerations is, are you using Consul for anything else in your organization, service discovery, kubernetes, etc… if you already have an Consul cluster then why not use it for storage as well.

  2. You can use the Vault PKI to sign your own cluster’s certs but it’s probably not the best practice to do so, in case you need to invalidate your certs it’ll cause chicken-and-egg issues. But it is doable.

I was able to get vault ‘working’ with integrated storage - though our internally signed certs are still not quite right - I’m not sure if its the order of the intermediate etc still working on it - it was a bit of a chore as I’m attempting to deploy via Ansible -yes some of it will be learning curve - just wanted to acknowledge the response and say thank you for the comments and feedback.

1 Like