Register with consul in dev mode (for service discovery)?
152 views
Skip to first unread message
Chris Stevens
Aug 23, 2016, 11:19:47 AM8/23/16
to Vault
Should Vault (0.6.1) register itself with Consul for service discovery when running in "dev" mode?
I just tried it and do not see the vault entries in the Consul catalog.
If this is normal and expected, I'll consider registering vault with consul manually for a consistent environment between dev/CI and other deployed environments.
Is there a recommendation on how to use Vault in dev or CI environments? I was planning to take advantage of the dev mode option to specify a consistent root token and build a simple provisioning script that loads up the expected key paths and secrets.
Thanks!
Chris
Jeff Mitchell
Aug 23, 2016, 11:29:12 AM8/23/16
to vault...@googlegroups.com
Hi Chris,
Vault does not register itself in dev mode. One of the main reasons is
to avoid having a dev server advertise itself to Consul and end up
redirecting traffic away from an established Vault cluster. (You'd
think people would run in isolated environments, but they don't always
:-) ) Plus, if multiple Vault instances started by multiple
developers are in dev mode it would be hard to establish which server
to connect to.
However, given that the API is JSON, it's pretty easy to "fake" a dev
server by simply having the output of the init command be stored, and
then the unseal key/token extracted and used to unseal and then
populate your values. This would also take advantage of the Consul
integration (unless disabled), and you can even use the "inmem"
storage backend like dev mode does.
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/08192ad1-3604-4045-9931-c25724b6ee78%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Vault does not register itself in dev mode. One of the main reasons is
to avoid having a dev server advertise itself to Consul and end up
redirecting traffic away from an established Vault cluster. (You'd
think people would run in isolated environments, but they don't always
:-) ) Plus, if multiple Vault instances started by multiple
developers are in dev mode it would be hard to establish which server
to connect to.
However, given that the API is JSON, it's pretty easy to "fake" a dev
server by simply having the output of the init command be stored, and
then the unseal key/token extracted and used to unseal and then
populate your values. This would also take advantage of the Consul
integration (unless disabled), and you can even use the "inmem"
storage backend like dev mode does.
Best,
Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/08192ad1-3604-4045-9931-c25724b6ee78%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Chris Stevens
Aug 23, 2016, 11:34:11 AM8/23/16
to Vault
Hi Jeff,
Thanks for that! I totally get it and was actually just reading up on the API and some of your older posts.
Will give that approach a shot next.
Thanks again!. I'll be at the training session in a few weeks at HashiConf.
- Chris
Reply all
Reply to author
Forward
0 new messages