Consul TLS in Practice

Setting Up Consul TLS in Practice

Seeding TLS Certificates

  • Every agent needs the consul-agent-ca.pem file.

Generate CA Certificates

consul tls create ca

Store Certificates in Azure Key Vault

az keyvault secret set --name <secret-name> --vault-name <vault-name> --value $(cat consul-agent-ca.pem | base64)

Storing the certificates in AKV allows us to inject the certs in an automation pipeline (Azure Pipelines). I would suggest to do this at Packer Image build time. This will allow the certificate key to be rotated and made avaiable as the latest value during a new build when needed.