HashiCorp Consul-Associate Practice Test : Free Online Preparation

Free HashiCorp Consul-Associate Exam Questions

You have a Consul cluster running production workloads in your environment. However, you've discovered that the cluster was initially deployed without gossip

encryption configured, which means that traffic is being sent in cleartext. The security team has requested this to be updated ASAP. However, you can't take an outage on

the Consul service right now, knowing the server nodes will stop communicating once you start editing the configuration files one by one.

How can you enable gossip encryption on the existing cluster without affecting the services it is currently providing the business?

Generate the new encryption key using consul keygen. Update all the Consul server agent configuration files with the new encryption key. Using a scheduling tool,

execute the consul reload command for all nodes at the same time. This will ensure that there is minimal downtime for the Consul service.

Generate the new encryption key using consul keygen. Update each Consul agent configuration file with the new configuration and set additional parameters to

verify incoming and outgoing encryption to false. Use rolling updates to walk through the steps of ultimately setting the parameters to true.

Generate the new encryption key using consul keygen. Use the command consul keyring -install <key> and push the new encryption key out to all participating

nodes in the cluster. Finally, use the command consul keyring -use <key> to instruct Consul to use the key for encryption

Generate the new encryption key using consul keygen. Update the Consul server agent configuration files with the new encryption key and issue a kill -HUP

<process ID> command so the Consul service reloads and picks up the new gossip configuration. Update and restart as a rolling update across the cluster so only a

single node is offline at a time.

You need to deny communication between the customer-db service and the payment service using an intention. You open the command line and issue the following

$ consul intention create customer-db payment

However, the two services can still initiate new connections even after the intention is created. What would explain this?

the mTLS certificates are both signed by the same CA, therefore the connectivity is permitted regardless of an intention

You have created a new gossip encryption key using consul keygen and installed it using the command consul keyring -install

TX/1dsj67x/4XdTeSG1Cb5RdC/cbAbv9Hch4H8cL8nk=.

However, when you try and delete the original gossip encryption key, you receive an error. Based on the error message below, what steps need to be taken in order to be

able to remove the old gossip encryption key?

1. $ consul keyring -remove /d+jMNoQWICjMvddXJXzyGPDWiEOFgApvUJcuPRcves=

3. ==> Removing gossip encryption key...

4. error: Unexpected response code: 500 (12 errors occurred:

5. * WAN error: 5/5 nodes reported failure

6. * CONSUL-NODE-A.dc-1: Removing the primary key is not allowed

7. * CONSUL-NODE-C.dc-1: Removing the primary key is not allowed

8. * CONSUL-NODE-B.dc-1: Removing the primary key is not allowed

9. * CONSUL-NODE-D.dc-1: Removing the primary key is not allowed

10. * CONSUL-NODE-E.dc-1: Removing the primary key is not allowed

11. * dc-1 (LAN) error: 5/5 nodes reported failure

12. * CONSUL-NODE-E: Removing the primary key is not allowed

13. * CONSUL-NODE-A: Removing the primary key is not allowed

14. * CONSUL-NODE-D: Removing the primary key is not allowed

15. * CONSUL-NODE-B: Removing the primary key is not allowed

16. * CONSUL-NODE-C: Removing the primary key is not allowed

wait until the old key is invalidated by Consul based upon the configured validity date

the original gossip key on a Consul cluster cannot be deleted

True or False? A service definition can include multiple health checks.

Free HashiCorp Consul-Associate Exam Questions

Try our Free Demo Practice Tests for Comprehensive Consul-Associate Exam Preparation