2. Agenda
• About ME2D
• What’s AKS
• Accelerate containerized application development
• History of Hashicorp
• Hashicorp Vault
• Hashicorp Vault architecture
• Hashicorp Vault Seal
• Hashicorp Vault Setup
• Policy-Authorization Workflow
• How we use Vault and Consul
18.10.2019 2
3. About ME2Digital
• Aleksandar Lazic since ~20 years in IT
• Since 2003 active in haproxy community
• Since 2006 active in nginx community => nginxpert
• Since ??? in curl active community
• Since 2015 in openshift community
• Stay always curious
• I like what I do and I do it with passion ;-)
• I founded ME2Digital in 2017
18.10.2019 3
4. What’s Azure AKS
• Azure Kubernetes Service
• Launched Oct. 24th 2017
• Precursor was ACS (Azure container service)
• More or less Vanilla Kubernetes
●
HA Masters
●
Nodes are Azure VM Machines
●
“harden OS”
• Registry own Product ACR (Azure container registry)
• AKS SLA 99,5% “strive to attain”
18.10.2019 4
5.
6. History of Hashicorp
• Hashicorp founded 2012 by Mitchell Hashimoto and Armon
Dadgar
• Some Products
●
Vagrant => Virtualization tool
●
Packer => Image creation tool
●
Terraform => Provisionig tool
●
Consul => DNS and Key Value Server
●
Vault => Secrets Management Server
18.10.2019 6
7. Hashicorp Vault
• First release Apr. 28th 2015
●
https://www.hashicorp.com/blog/vault-announcement/
• Features
●
Secrets Management (dynamic and static)
●
Automatic TTL handling
●
ACL’s and Auditing
●
Multiple authentication methods
●
Different versions available: OSS and Enterprise
●
API Driven
18.10.2019 7
8.
9. Hashicorp Vault Seal
https://www.vaultproject.io/docs/concepts/seal.html
• Sealed by default
●
When a Vault server is started, it starts in a sealed state. In this
state, Vault is configured to know where and how to access the
physical storage, but doesn't know how to decrypt any of it.
●
Shamir's secret sharing algorithm
●
https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing
●
Fist step is always to unseal the encrypted store
●
Manual unseal
●
https://www.vaultproject.io/docs/commands/operator/unseal.html
●
Auto unseal
●
https://www.vaultproject.io/docs/configuration/seal/azurekeyvault.html
18.10.2019 9
10. Hashicorp Vault Setup
• Configuration via HCL (HashiCorp configuration language)
• Secrets engines https://www.vaultproject.io/docs/secrets/index.html
●
Key / Value
●
PKI
• Different Backends
●
For example Consul which is a HA one
●
Overview of backends
https://www.vaultproject.io/docs/configuration/storage/index.html
• Setup Policies https://www.vaultproject.io/docs/concepts/policies.html
18.10.2019 10
12. How we use Vault and Consul
• Save users password in vault
• Restrict access for applications
• Get database access from vault
• In combination with consul-template get app server access
token
• Create HAProxy configuration from consul services
18.10.2019 12