How to setup Hashicorp Vault with consul on Openshift

Question

I implemented the Hashicorp Vault with the raft, but my organization wants now to change the raft to consul like remove the present vault cluster and re-install with consul but I found in the official Hashicorp documentation as the given below:

Reference: Hashicorp Document related to image

In the same way there from the GitHub and other blogs the installation steps were provided for Hashicorp Vault with the consul. So, kindly help me to understand and also which is preferred raft or consul and why it is preferable?

Answer 1

I think the real question you are asking here is Vault's Integrated Storage (aka Raft) vs. Consul (external storage).

There are several aspects to this but the top 3 are:

1. REDUCED COST & REDUCED OPERATIONAL OVERHEAD & LACK OF CONSUL EXPERTISE ON YOUR

If you want to reduce operational costs (by reducing administrative overhead), then choose Integrated Storage (Raft) is the preferred choice. In a standard cluster configuration, you only need 5 Vault nodes, which translates to VMs on AWS, Azure, GCP, etc. With Consul you will need 3 Vault VMs + 5+ Consul VMs, so a minimum of 8 - see Reference Architecture with Consul

2. INSPECTING VAULT DATA

If you need to inspect Vault's data frequently, then Consul as an external storage is the better option

3. SIDECAR + SERVICE DISCOVERY

If you rely on Consul's service discover and sidecar proxy pattern, then you need it. By contrast, if you are only leveraging Vault's secret management features and capabilities, then the Integrated Storage (Raft) would do just fine.

Take a look at the checklist at the end of this article and at the reference architectures for more clarity.

For leveraging different type of backends with Vault, you can take a look at this Pluralsight course: Managing Access and Secrets in HashiCorp Vault There courses covering Consul as well, of course. But generally, Consul is a a lot more than just a Vault backend for storing data.