Secure and HA Vault with Consul and TLS encryption
Introduction
Hashicorp Vault is a tool for managing our secrets. In Vault, secrets can be stored, dynamically generated, and in the case of encryption, keys can be consumed as a service without the need to expose the underlying key materials (KMS).
You can find all above files in GitHub repository : https://github.com/ajebli-naima/vault-consul-ha.git
Vault High Availability with Consul
Vault can run in a high availability (HA) mode to protect against outages by running multiple Vault servers.
Certain storage back-ends, such as Consul, provide additional coordination functions that enable Vault to run in an HA configuration while others provide a more robust backup and restoration process.
In Vault HA cluster, one Vault instance is active end others are standby as described is the following figure:
Setup Vault & Consul
The architecture we aim for is a Vault HA setup consisting of the following:
- 1 Consul server
- 2 Consul Agents
- 2 Vault servers: 1 active and 1 standby
Using Docker Compose, we will create and launch the previous cluster configuration.
Docker compose file
You will find the docker compose file here:
We will execute the command sudo docker-compose --compatibility up to start the services.
Notice that in this docker-compose file, in the volume block, there are definitions of paths to Certs which are SSL Certificates to give access via HTTPS to our servers.
Generate TLS certificates
I am going to create locally trusted SSL certificates with mkcert and assign them to our instances Vault, Consul, and Consul-worker.
Using the command illustrated in the following figure, we will create the SSL Certificate.
Make sure to add the IP Addresses of your Vault and Consul instances
Next, we are going to configure it in config files of Consul and Vault.
Finally, we can access Consul and Vault UI using HTTPS and with a secure connection.
