[mike-cardwell]

Argh. I already find it a nightmare to figure out how to combine hashicorp tools together. Now there's one more! ;)

E.g, if I want a Consul backed Vault, whilst using Vault to generate TLS certs or other creds for Consul. Especially if I want to run either/both of those services using Nomad, backed by Consul. Hopefully I wont have the option of authenticating against any of these services using Boundary. Especially if Boundary is backed by Consul.

[mitchellh]

Indeed. Our recommendation with Vault now is to use the built-in storage[1] to break that dependency. If you must use Consul, we recommend separate clusters.

One way we're simplifying this a lot for people is the introduction of our managed services[2][3]. We understand not everyone can use a managed service though!

Boundary will integrate fairly deeply with Consul/Vault but these integrations will be optional.

[1]: https://www.vaultproject.io/docs/configuration/storage/raft [2]: https://www.hashicorp.com/blog/hcp-consul-public-beta [3]: https://www.hashicorp.com/blog/vault-on-the-hashicorp-cloud-...

[mike-cardwell]

Thanks for the response. My comment was half in jest, but it has been a pain point for me.

[jaquers]

This comment resonates with me so hard. Specifically TLS certs, private certificate authorities and Consul. Like I wanna run my PCA out of Vault (right?), but if using Consul as the backend how do I bootstrap? Sounds like the reply from Michael seems to suggest running the integrated backend, which I can get behind.

[tetha]

Yep, we use the integrated vault backend.

In our case, we use lets encrypt to get certificates for vault and then bootstrap a vault cluster with internal storage. Then you have vault and you can use terraform to configure a consul TLS backend.

And then there is a little hitch, because consul-template cannot easily create multiple files from a single vault API call, so you cannot use consul-template directly to create the necessary certificate files. We've written a small messy tool there. But once you have that, it's fairly straight forward to generate consul + nomad TLS certs for the trust and then you're set.

[chucky_z]

So I actually do this today, and I use Vault. This sounds weird, but I spin up a "bootstrap PKI" Vault that is local-only, and produces, e.g.: "consul.service.dc.consul" certs with the issuer labeled as "bootstrap PKI intermediate" or some such. I generate a full suite of these for everything in a space, get it all up and running, then there's a 2nd layer of automation where self-certs are issued.

That said, I'm moving to a central distributed Vault that is mostly going to exist as a PKI so I'll only really need to repeat this process once more! Going to be using the raft internal engine for this one, and spread it physically across the globe so performance is going to be pretty terrible by design, but it should be quite resilient!

[mrweasel]

Maybe you’re not using Terraform. I suspect that your problem is an insufficient usage of HCL.

[ETHisso2017]

All hail Hashi-stack!