Proposal: simplify secure Consul agent bootstrapping with "Intro tokens" #6457
Labels
thinking
More time is needed to research by the Consul Contributors
type/enhancement
Proposed improvement or new feature
Currently, correctly configuring TLS, Gossip Encryption and ACLs as well as provisioning tokens correct for agents is pretty complex to do right. It's even hard to automate.
This proposal is for a new mechanism that can optionally replace bootstrapping TLS, Gossip Encryption and agent-specific ACLs while maintaining optimal security and without relying on any other trusted system like Vault or Kubernetes Secrets.
It centres around a new type of secret and a new “secure bootstrap” startup phase for agents.
The full design needs work but the gist is that operators would have an easy mechanism from the CLI to create signed JWTs that act as single-use tokens for each agent that can be distributed out of band instead of needing to configure all of TLS certs, ACL tokens and gossip keys. These tokens would allow one-time use for an agent to authenticate to Consul servers and obtain a bundle of keys and certs to configure TLS, Gossip Encryption and ACLs for the agent.
The same intro keys can be used with some subtle checks even to allow automatic bootstrapping of Consul servers including setting up their own CA to enable TLS securely. This works because the JWTs are asymmetrically signed and the provisioning keypair can be kept securely out of band say in a production secret store and only used by operators or automation when operation tasks like bootstrapping a cluster or a new node need to occur.
The text was updated successfully, but these errors were encountered: