Proposal: simplify secure Consul agent bootstrapping with "Intro tokens"

[banks]

Currently, correctly configuring TLS, Gossip Encryption and ACLs as well as provisioning tokens correct for agents is pretty complex to do right. It's even hard to automate.

This proposal is for a new mechanism that can optionally replace bootstrapping TLS, Gossip Encryption and agent-specific ACLs while maintaining optimal security and without relying on any other trusted system like Vault or Kubernetes Secrets.

It centres around a new type of secret and a new “secure bootstrap” startup phase for agents.

The full design needs work but the gist is that operators would have an easy mechanism from the CLI to create signed JWTs that act as single-use tokens for each agent that can be distributed out of band instead of needing to configure all of TLS certs, ACL tokens and gossip keys. These tokens would allow one-time use for an agent to authenticate to Consul servers and obtain a bundle of keys and certs to configure TLS, Gossip Encryption and ACLs for the agent.

The same intro keys can be used with some subtle checks even to allow automatic bootstrapping of Consul servers including setting up their own CA to enable TLS securely. This works because the JWTs are asymmetrically signed and the provisioning keypair can be kept securely out of band say in a production secret store and only used by operators or automation when operation tasks like bootstrapping a cluster or a new node need to occur.

[hanshasselberg]

I came across a talk about implementation of mtls in docker swarm: https://www.infoq.com/presentations/tls-swarm-pki/ and it contains something similiar, details are starting at ~10:00.

[banks]

@i0rek i've read that code before ;)

[david-yu]

Closing as this is now addressed through auto_config which is described a bit more in detail in this learn guide: https://developer.hashicorp.com/consul/tutorials/security-operations/docker-compose-auto-config