Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Together: Consul + Vault

Secure Together: Consul + Vault

Originally presented at HashiConf EU 2022.

How do you better secure service-to-service communication? In this session, you will learn the ways you can combine Consul and Vault to encrypt traffic between services, control API authorization, and implement least-privilege access across services. Dive into setting up Vault to manage certificates for Consul API Gateway and service mesh on Kubernetes, Consul-Terraform-Sync to automate Vault configuration, and Consul intentions and Vault secrets engines to control access to services.

Rosemary Wang

June 22, 2022
Tweet

More Decks by Rosemary Wang

Other Decks in Technology

Transcript

  1. Secrets for Consul Operations •TLS Certificates for Agents •Tokens for

    Access Control Lists (ACLs) •Encryption Key for Gossip •Enterprise License •Agent Configuration for Snapshots
  2. Secrets for Service Mesh TLS Certificates for Service Mesh •Encrypt

    service-to-service communication •Enables mTLS for east-west traffic TLS Certificates for API Gateway •Encrypt communication to services in mesh •Enables TLS for north-south traffic
  3. A Tale of Two Vault Secrets Engines PKI •Generates certificates

    for Consul •Handles certificate expiration automatically Key-Value Version 2 •Stores and secures static secret •Rotate secret → update Consul manually
  4. Consul 
 Service Mesh CA Offline Root CA PKI Secrets

    Engine /consul/connect/pki /consul/connect/pki_int
  5. Consul 
 API Gateway Offline Root CA PKI Secrets Engine

    /consul/gateway/pki /consul/gateway/pki_int Vault CSI Provider Kubernetes Secret
  6. Learn More Learn more about Vault + Consul at consul.io/docs/k8s/installation/vault

    Code at 
 github.com/joatmon08/hashicorp-stack- demoapp