Secure Consul Agent Communication with TLS
In this hands-on lab, you will deploy a Consul datacenter that uses Vault to generate and manage certificates to secure agent communication.
This lab will guide you through the steps necessary to deploy Consul with TLS encryption enabled to secure agent-to-agent communication including RPC requests and the consensus protocol.
Specifically, you will:
- Start a Vault dev instance
- Create a policy in Vault to allow certificate generation
- Enable the PKI secrets engine in Vault
- Initialize the CA and generate an intermediate certificate
- Generate certificates for your Consul servers
- Use consul-template to retrieve certificates at runtime
- Perform a certificate rotation
If you are already familiar with the basics of Consul, but are not familiar with TLS encryption review the Secure Consul Agent Communication with TLS Encryption tutorial.
In this hands-on lab, you deployed a secure Consul datacenter using Vault to generate and manage certificates.
The lab guided you through the steps necessary to deploy Consul with TLS encryption enabled to authorize access to the UI, API, CLI, services, and agents.
- Started a Vault dev instance
- Created a policy in Vault to allow certificate generation
- Enabled the PKI secrets engine in Vault
- Initialized the CA and generate an intermediate certificate
- Generated certificates for your Consul servers
- Used consul-template to retrieve certificates at runtime
- Performed a certificate rotation
Now that you have tested TLS encryption in this interactive environment, use the (https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure) tutorial to configure TLS encryption in your Consul datacenter.
Generate Certificates with Vault's PKI Secrets Engine for Consul TLS Encryption
Lab Infrastructure Provisioning
There are a few components that need to be added to the environment; we are adding them now. Wait for the complete message and then move to the next step.
- Install prerequisites - Install Consul locally - Installing Consul x.y.z - Installing consul-template x.y.z - Installing Vault locally - Installing Vault x.y.z
and concluding with
- Complete! Move on to the next step.
Once this message appears, you are ready to continue.
While you wait for the provision to complete you can review the configuration files you are going to use for the lab:
||Template for CA certificate|
||Template for agent certificate|
||Template for agent key|
||Template for CLI certificate|
||Template for CLI key|
||Server agent configuration file|
||Server agent TLS configuration file|