Yep, thats more or less what we're planning on doing. The documentation released was the result of the initial deploy. We prototyped integration with a few different areas of our infra, and are at the point where we'll be making strategic improvements as we rollout the integration everywhere.
In the interest of being fully transparent, the engineer in charge of the project listed as many issues - small or large - with their initial implementation so we could figure out how to prioritize each one before moving forward.
Awesome, good luck, We had vault deployed(but unused) for a few months while trying to figure out how to use the vault PKI backend to secure vault itself. We finally gave up, and did the external CA solution, with vault holding an intermediate. We actually have 2 intermediate keys, 1 that vault uses, and 1 that long running services (like vault) use for their TLS keys.
We used this https://jamielinux.com/docs/openssl-certificate-authority as a guide to get that all going.
Good luck! otherwise awesome write up. I wish we could share more of what we do internally, but it's complicated.. getting permission! :)
That will be useful, and I'll certainly pass it along to the engineer in charge of this initiative. Hopefully we can have a follow-up soon about how we implemented TLS (and maybe some code).
Good luck on getting permission! I'll be on the lookout for when you can post this stuff :)
Yep, thats more or less what we're planning on doing. The documentation released was the result of the initial deploy. We prototyped integration with a few different areas of our infra, and are at the point where we'll be making strategic improvements as we rollout the integration everywhere.
In the interest of being fully transparent, the engineer in charge of the project listed as many issues - small or large - with their initial implementation so we could figure out how to prioritize each one before moving forward.