Setting Up Consul TLS in Practice
Seeding TLS Certificates
- Every agent needs the
consul-agent-ca.pem
file.
Generate CA Certificates
consul tls create ca
Store Certificates in Azure Key Vault
az keyvault secret set --name <secret-name> --vault-name <vault-name> --value $(cat consul-agent-ca.pem | base64)
Storing the certificates in AKV allows us to inject the certs in an automation pipeline (Azure Pipelines). I would suggest to do this at Packer Image build time. This will allow the certificate key to be rotated and made avaiable as the latest value during a new build when needed.