Where to store vault / nomad / consul tokens for consul-template?

Question 1
Hi ! The documentation says storing tokens in configuration file is not recommended. So where do we store it ? If it is to be stored in a env var, then how would we daemonize the consul-template (say with systemd) and how to persist the token between restarts ?

Question 2
Is it recommended to run consul-template as a systemd service ? If it is, then is it ok to run it as root user (given that the template outputs are owned by root) ?

Question 2
If my sole purpose is to provision mTLS for nomad and consul and gossip encryptions, then what is the recommended tool - vault-agent or consul-template ?

1 Like