TLS really shouldn't be disabled.. especially for SECRETS. I'd fix that up right away!
I've been very pleased with vault, our biggest hurdle has been working out the TLS fun, vault TLS certs from the PKI backend expire in ~ 32 days, but vault is a long-running service, you don't really want it restarting and having to re-unseal all the time, so we have our own CA out on disk, and vault's PKI holds an intermediate cert. This gives us the ability to generate long-term certs for stuff like vault, but still use vault's PKI infrastructure for most TLS certs, while only having to keep track of 1 CA cert internally.
Yep, thats more or less what we're planning on doing. The documentation released was the result of the initial deploy. We prototyped integration with a few different areas of our infra, and are at the point where we'll be making strategic improvements as we rollout the integration everywhere.
In the interest of being fully transparent, the engineer in charge of the project listed as many issues - small or large - with their initial implementation so we could figure out how to prioritize each one before moving forward.
Awesome, good luck, We had vault deployed(but unused) for a few months while trying to figure out how to use the vault PKI backend to secure vault itself. We finally gave up, and did the external CA solution, with vault holding an intermediate. We actually have 2 intermediate keys, 1 that vault uses, and 1 that long running services (like vault) use for their TLS keys.
We used this https://jamielinux.com/docs/openssl-certificate-authority as a guide to get that all going.
Good luck! otherwise awesome write up. I wish we could share more of what we do internally, but it's complicated.. getting permission! :)
That will be useful, and I'll certainly pass it along to the engineer in charge of this initiative. Hopefully we can have a follow-up soon about how we implemented TLS (and maybe some code).
Good luck on getting permission! I'll be on the lookout for when you can post this stuff :)
I've been very pleased with vault, our biggest hurdle has been working out the TLS fun, vault TLS certs from the PKI backend expire in ~ 32 days, but vault is a long-running service, you don't really want it restarting and having to re-unseal all the time, so we have our own CA out on disk, and vault's PKI holds an intermediate cert. This gives us the ability to generate long-term certs for stuff like vault, but still use vault's PKI infrastructure for most TLS certs, while only having to keep track of 1 CA cert internally.