Vault as the Secrets Backend Overview

By default, Consul on Kubernetes leverages Kubernetes secrets which are base64 encoded and unencrypted. In addition, the following limitations exist with managing sensitive data within Kubernetes secrets:

There are no lease or time-to-live properties associated with these secrets.

The following secrets can be stored in Vault KV secrets engine, which is meant to handle arbitrary secrets:

ACL Bootstrap token
ACL Partition token
ACL Replication token
Enterprise license
Gossip encryption key
Snapshot Agent config

Secrets generated and managed by the Vault PKI Engine

Service Mesh and Consul client TLS credentials

Vault 1.9+ and Vault-k8s 0.14+ is required.
Vault must be installed and accessible to the Consul on Kubernetes installation.
is required if TLS is enabled for the Consul installation when using the Vault secrets backend.
The Vault installation must have been initialized, unsealed and the KV2 and PKI secrets engines and the Kubernetes Auth Method enabled.

The Vault integration with Consul on Kubernetes has two aspects or phases:

Systems Integration - Configure Vault and Consul on Kubernetes systems to leverage Vault as the secrets store.