Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Together: Consul + Vault

Secure Together: Consul + Vault

Originally presented at HashiConf EU 2022.

How do you better secure service-to-service communication? In this session, you will learn the ways you can combine Consul and Vault to encrypt traffic between services, control API authorization, and implement least-privilege access across services. Dive into setting up Vault to manage certificates for Consul API Gateway and service mesh on Kubernetes, Consul-Terraform-Sync to automate Vault configuration, and Consul intentions and Vault secrets engines to control access to services.


Rosemary Wang

June 22, 2022

More Decks by Rosemary Wang

Other Decks in Technology


  1. Your certificate has expired.

  2. A service’s address and credentials have changed.

  3. Your services are all failing.

  4. How do you 
 secure changing services and 

    their resilience?
  5. A service mesh secures service registration and communication.

  6. A secrets manager automates service identity and access.

  7. Secure service communication with mutual authentication. Automate service authentication and

  8. Benefits Add flexibility to certificates Automate secret generation Improve system

    resilience Reduce operational effort
  9. Note: Use integrated storage for Vault.

  10. Secure service communication with mTLS.

  11. Use Vault as a secrets backend for Consul.

  12. Secrets for Consul Operations •TLS Certificates for Agents •Tokens for

    Access Control Lists (ACLs) •Encryption Key for Gossip •Enterprise License •Agent Configuration for Snapshots
  13. Secrets for Service Mesh TLS Certificates for Service Mesh •Encrypt

    service-to-service communication •Enables mTLS for east-west traffic TLS Certificates for API Gateway •Encrypt communication to services in mesh •Enables TLS for north-south traffic
  14. A Tale of Two Vault Secrets Engines PKI •Generates certificates

    for Consul •Handles certificate expiration automatically Key-Value Version 2 •Stores and secures static secret •Rotate secret → update Consul manually
  15. None
  16. Consul 
 Agent Offline Root CA PKI Secrets Engine /consul/server/pki

    /consul/server/pki_int Vault Agent Sidecar
  17. None
  18. Consul 
 Service Mesh CA Offline Root CA PKI Secrets

    Engine /consul/connect/pki /consul/connect/pki_int
  19. Root CA (Offline Key) Intermediate CA (Level 1) Intermediate CA

    (Level 2) Intermediate CA (Level 3)
  20. None
  21. Consul 
 API Gateway Offline Root CA PKI Secrets Engine

    /consul/gateway/pki /consul/gateway/pki_int Vault CSI Provider Kubernetes Secret
  22. None
  23. Automate service authentication & authorization.

  24. Database 
 (Previous) Application Database 
 (New) Username & Password

    New Username & Password
  25. Use Consul-Terraform-Sync to update secrets engine in Vault each time

    service changes.
  26. Database Secrets Engine Role Policy Kubernetes Auth Method Consul-Terraform-Sync Consul-Terraform-Sync

 (External Service) Application
  27. None
  28. Secure Together Certificates, ACL Tokens Service Identity, Intentions

  29. Your certificate has been rotated.

  30. A service’s address and credentials have been updated.

  31. Your services are still working.

  32. Learn More Learn more about Vault + Consul at consul.io/docs/k8s/installation/vault

    Code at 
 github.com/joatmon08/hashicorp-stack- demoapp