How do you
secure changing services and
improve their resilience?
Slide 5
Slide 5 text
A service mesh
secures service
registration and
communication.
Slide 6
Slide 6 text
A secrets manager
automates service
identity and access.
Slide 7
Slide 7 text
Secure service communication with mutual authentication.
Automate service authentication and authorization.
Slide 8
Slide 8 text
Benefits
Add flexibility to certificates
Automate secret generation
Improve system resilience
Reduce operational effort
Slide 9
Slide 9 text
Note: Use integrated storage
for Vault.
Slide 10
Slide 10 text
Secure service
communication with
mTLS.
Slide 11
Slide 11 text
Use Vault as a secrets
backend for Consul.
Slide 12
Slide 12 text
Secrets for Consul Operations
•TLS Certificates for Agents
•Tokens for Access Control Lists (ACLs)
•Encryption Key for Gossip
•Enterprise License
•Agent Configuration for Snapshots
Slide 13
Slide 13 text
Secrets for Service Mesh
TLS Certificates for Service Mesh
•Encrypt service-to-service
communication
•Enables mTLS for east-west
traffic
TLS Certificates for API Gateway
•Encrypt communication to
services in mesh
•Enables TLS for north-south
traffic
Slide 14
Slide 14 text
A Tale of Two Vault Secrets Engines
PKI
•Generates certificates for Consul
•Handles certificate expiration
automatically
Key-Value Version 2
•Stores and secures static secret
•Rotate secret → update Consul
manually
Slide 15
Slide 15 text
No content
Slide 16
Slide 16 text
Consul
Agent
Offline Root CA
PKI Secrets Engine
/consul/server/pki
/consul/server/pki_int
Vault Agent
Sidecar
Slide 17
Slide 17 text
No content
Slide 18
Slide 18 text
Consul
Service Mesh CA
Offline Root CA
PKI Secrets Engine
/consul/connect/pki
/consul/connect/pki_int
Slide 19
Slide 19 text
Root CA
(Offline Key)
Intermediate CA
(Level 1)
Intermediate CA
(Level 2)
Intermediate CA
(Level 3)
Slide 20
Slide 20 text
No content
Slide 21
Slide 21 text
Consul
API Gateway
Offline Root CA
PKI Secrets Engine
/consul/gateway/pki
/consul/gateway/pki_int
Vault CSI
Provider
Kubernetes
Secret