Here is what I’m trying to achieve using the
- A single source of truth in Europe. A vault instance on which we can write data
- streaming the data to remote Datacenters
- Use of Kubernetes sidecar agent to inject secrets into pods
Well this is not obvious to setup the consul backend with a cross datacenter configuration.
Finally, I managed to do that using the beta
federation beta feature
kubectl exec statefulset/consul-server -- consul members -wan Node Address Status Type Build Protocol DC Segment consul-server-0.dc1 10.4.2.91:8302 alive server 1.8.0beta1 2 dc1 <all> consul-server-0.dc2 10.48.0.65:8302 alive server 1.8.0beta1 2 dc2 <all> consul-server-1.dc1 10.4.0.43:8302 alive server 1.8.0beta1 2 dc1 <all> consul-server-1.dc2 10.48.2.65:8302 alive server 1.8.0beta1 2 dc2 <all> consul-server-2.dc1 10.4.1.49:8302 alive server 1.8.0beta1 2 dc1 <all> consul-server-2.dc2 10.48.1.42:8302 alive server 1.8.0beta1 2 dc2 <all>
This feature requires TLS to be enabled and this is a good practices when we deal with secrets. However now I have to connect my Vault instances to these consul and unfortunately the charts are not really easy to use if you want something production ready.
Note that the acl’s are enabled on Consul side so I had to create a policy and put the token in Vault’s configuration. The last thing I have to figure out is how to create a certificate using the same CA. I don’t know how all these pki settings are handled internally so I’m not able to create a certificate .
How would achieve this cross-dc architecture ?
Is consul the right choice and is the federation the best approach for cross-dc replication? How to connect Vault to consul using TLS ?
Thanks for your help