Successfully reported this slideshow.
Your SlideShare is downloading. ×

Apache CloudStack Integration with HashiCorp Vault

Sep. 28, 2018
0 likes 145 views
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
Vault 1.0: How to Auto-Unseal and Other New Features
Vault 1.0: How to Auto-Unseal and Other New Features
Loading in …3
×

Check these out next

Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
TW SEAT - DevOps: Security 干我何事?
smalltown
Kickstart your Kafka with Faker Data | Francesco Tisiot, Aiven.io
HostedbyConfluent
Hashicorp Vault ppt
Shrey Agarwal
Secrets management vault cncf meetup
Juraj Hantak
Istio Cloud Native Online Series - Intro to Istio Security
Matt Baldwin
Vault - Secret and Key Management
Anthony Ikeda
Vault
Jean-Philippe Bélanger
1 of 18 Ad

Apache CloudStack Integration with HashiCorp Vault

Sep. 28, 2018
0 likes 145 views

Download to read offline

Technology

Khosrow Moosavi presented how to integrate HashiCorp Vault into your Apache CloudStack Infrastructure-as-Code at the CloudStack Collab Conference of ApacheCon 2018.

Khosrow Moosavi presented how to integrate HashiCorp Vault into your Apache CloudStack Infrastructure-as-Code at the CloudStack Collab Conference of ApacheCon 2018.

Technology
Advertisement

Recommended

Vault 1.0: How to Auto-Unseal and Other New Features
Mitchell Pronschinske
10k views
22 slides
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Kangaroot
2.4k views
26 slides
Delivering Secret Zero: Vault AppRole with Terraform and Chef
Amanda MacLeod
7.6k views
13 slides
Managing secrets at scale
Alex Schoof
6.1k views
81 slides
Vault 101
Hazzim Anaya
463 views
39 slides
Issuing temporary credentials for my sql using hashicorp vault
OlinData
965 views
21 slides
Credential store using HashiCorp Vault
Mayank Patel
342 views
34 slides
Using Vault to decouple MySQL Secrets
Derek Downey
1.9k views
70 slides
Advertisement

More Related Content

Slideshows for you (20)

Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
6.2k views
TW SEAT - DevOps: Security 干我何事?
smalltown
484 views
Kickstart your Kafka with Faker Data | Francesco Tisiot, Aiven.io
HostedbyConfluent
415 views
Hashicorp Vault ppt
Shrey Agarwal
4.1k views
Secrets management vault cncf meetup
Juraj Hantak
147 views
Istio Cloud Native Online Series - Intro to Istio Security
Matt Baldwin
721 views
Vault - Secret and Key Management
Anthony Ikeda
3.6k views
Vault
Jean-Philippe Bélanger
373 views
DevOpsDays - DevOps: Security 干我何事?
smalltown
766 views
OSMC 2018 | Tailored SNMP monitoring – Your own SNMP MIB and sub-agent with P...
NETWAYS
148 views
OSMC 2018 | SLA Monitoring mit Icinga & Prometheus by Moritz Tanzer
NETWAYS
199 views
FIWARE Wednesday Webinars - Short Term History within Smart Systems
FIWARE
611 views
6 Months Sailing with Docker in Production
Hung Lin
760 views
HashiCorp's Vault - The Examples
Michał Czeraszkiewicz
3.1k views
Implementing Progressive Delivery with Your Team (by Leigh Capili)
Weaveworks
133 views
Production ready kubernetes
Arnaud MAZIN
113 views
Hug #9 who's keeping your secrets
Cameron More
146 views
London Hug 20/6 - Vault production
London HashiCorp User Group
316 views
Introducing Vault
Ramit Surana
1.2k views
How to manage Kubernetes at scale with just git
Weaveworks
164 views
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
6.2k views
53 slides
TW SEAT - DevOps: Security 干我何事?
smalltown
484 views
59 slides
Kickstart your Kafka with Faker Data | Francesco Tisiot, Aiven.io
HostedbyConfluent
415 views
13 slides
Hashicorp Vault ppt
Shrey Agarwal
4.1k views
11 slides
Secrets management vault cncf meetup
Juraj Hantak
147 views
21 slides
Istio Cloud Native Online Series - Intro to Istio Security
Matt Baldwin
721 views
20 slides

Similar to Apache CloudStack Integration with HashiCorp Vault (20)

Cloud Platform Symantec Meetup Nov 2014
Miguel Zuniga
1.3k views
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE
762 views
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Stenio Ferreira
225 views
Kubernetes Secrets Management on Production with Demo
Opsta
63 views
CloudMonkey
Sebastien Goasguen
7.9k views
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDays Riga
551 views
Fiware cloud developers week brussels
Fernando Lopez Aguilar
1.3k views
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
Andrey Devyatkin
704 views
FIWARE Primer - Learn FIWARE in 60 Minutes
Federico Michele Facca
1.5k views
Federico Michele Facca - FIWARE Primer - Learn FIWARE in 60 Minutes
Codemotion
360 views
Cloud Workflows What's new in serverless orchestration and automation
Márton Kodok
170 views
Cotech- OPA-v2.pptx
arnaudjeansen1
21 views
Managing your secrets in a cloud environment
Taswar Bhatti
2k views
Kubernetes security
Thomas Fricke
714 views
OpenStack API's and WSGI
Mike Pittaro
25.6k views
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
715 views
Part 5 of the REAL Webinars on Oracle Cloud Native Application Development - ...
Lucas Jellema
192 views
K8s identity management
Marc Boorshtein
263 views
Proto kubernetes onswitc_hengines_tue100418
inside-BigData.com
831 views
Securing Your Resources with Short-Lived Certificates!
All Things Open
88 views
Cloud Platform Symantec Meetup Nov 2014
Miguel Zuniga
1.3k views
42 slides
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE
762 views
14 slides
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Stenio Ferreira
225 views
17 slides
Kubernetes Secrets Management on Production with Demo
Opsta
63 views
35 slides
CloudMonkey
Sebastien Goasguen
7.9k views
13 slides
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDays Riga
551 views
113 slides
Advertisement

More from CloudOps2005 (20)

Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
CloudOps2005
965 views
Human No, Machine Yes: Welcome to the CDF with Incremental Confidence
CloudOps2005
225 views
The Salmon Algorithm Spawning with Kubernetes
CloudOps2005
320 views
Own your Destiny in the Cloud - Ian Rae - Cloud Native Day Montreal 2019
CloudOps2005
282 views
Plateformes et infrastructure infonuagique natif de ville de Montréall
CloudOps2005
191 views
Using Rook to Manage Kubernetes Storage with Ceph
CloudOps2005
842 views
Kafka on Kubernetes
CloudOps2005
153 views
Kubernetes: Crossing the Chasm
CloudOps2005
282 views
Distributed Logging with Kubernetes
CloudOps2005
255 views
Kubernetes Security with Calico and Open Policy Agent
CloudOps2005
1.8k views
Advanced Deployment Strategies with Kubernetes and Istio
CloudOps2005
491 views
GitOps with ArgoCD
CloudOps2005
2.7k views
Kubernetes Services are sooo Yesterday!
CloudOps2005
700 views
Amazon EKS: the good, the bad, and the ugly
CloudOps2005
560 views
Kubernetes, Terraform, Vault, and Consul
CloudOps2005
554 views
SIG Multicluster and the Path to Federation
CloudOps2005
232 views
To Russia with Love: Deploying Kubernetes in Exotic Locations On Prem
CloudOps2005
545 views
Operator SDK for K8s using Go
CloudOps2005
1.5k views
How to Handle your Kubernetes Upgrades
CloudOps2005
417 views
Kubernetes and Cloud Native Meetup - March, 2019
CloudOps2005
382 views
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
CloudOps2005
965 views
15 slides
Human No, Machine Yes: Welcome to the CDF with Incremental Confidence
CloudOps2005
225 views
14 slides
The Salmon Algorithm Spawning with Kubernetes
CloudOps2005
320 views
45 slides
Own your Destiny in the Cloud - Ian Rae - Cloud Native Day Montreal 2019
CloudOps2005
282 views
22 slides
Plateformes et infrastructure infonuagique natif de ville de Montréall
CloudOps2005
191 views
44 slides
Using Rook to Manage Kubernetes Storage with Ceph
CloudOps2005
842 views
19 slides

Recently uploaded (20)

ELECTRONICS DEVENDRA SHRIVASH.pptx
DEVENDRA SHRIVASH
3 views
SESSION 01-ALPHABET-NUMBERS-DEMOSRATIVE.pdf
SamiraQuispe
3 views
336760739-Pdh-Sdh-Sonet.ppt
ssuserefc414
2 views
4 th International Conference on Natural Language Processing and Machine Lear...
ijscai
4 views
DL Assignment __ (khem).pdf
KrishtinaShrestha1
4 views
EMT 11_12 Q1 0201 PF LED.pptx
JockerColumna1
3 views
M-Core Brochure.pdf
DigitalMarketing63742
0 views
The Spotight is On Passwordless Authentication
Andy32903
4 views
Product Enablement Principles
UXDXConf
32 views
Crypto Developer Locations 2023 by Electric Capital
MariaShen2
447 views
Mapping Your Brand’s Journey into The Metaverse.pdf
AnuragYadav882277
6 views
Artificial Intelligence Outline (1).ppt
AmnaNadeem27
0 views
ap700-AIRONET.pdf
Danar52
3 views
How to develop healthcare app.docx
SophiaJasper
10 views
System Implementation.pptx
MohamedNowfeek1
3 views
JOB REDESIGN WITH OUR MECHANIZED SOLUTIONS
Promotech India
4 views
Lecture 6.pptx
MohamedNowfeek1
1 view
Drive Successful ESG Initiatives with Trusted Data
Precisely
6 views
XFS.ppt
DmitryIg
1 view
Choosing the Board’s Duty of Foresight
OnBoard
48 views
ELECTRONICS DEVENDRA SHRIVASH.pptx
DEVENDRA SHRIVASH
3 views
23 slides
SESSION 01-ALPHABET-NUMBERS-DEMOSRATIVE.pdf
SamiraQuispe
3 views
41 slides
336760739-Pdh-Sdh-Sonet.ppt
ssuserefc414
2 views
75 slides
4 th International Conference on Natural Language Processing and Machine Lear...
ijscai
4 views
2 slides
DL Assignment __ (khem).pdf
KrishtinaShrestha1
4 views
17 slides
EMT 11_12 Q1 0201 PF LED.pptx
JockerColumna1
3 views
45 slides
Advertisement

Apache CloudStack Integration with HashiCorp Vault

  1. 1. Apache CloudStack integration with HashiCorp Vault Khosrow Moossavi (@khos2ow) ApacheCon North America Sep. 24-27 2018 Montreal, Canada
  2. 2. Agenda ● HashiCorp Vault ○ What it does ○ Why it is useful ○ Basic intro ● Apache CloudStack ○ IKEv2 VPN ○ Secure/Hidden Configs ● What’s next CloudOps.com | 2
  3. 3. HashiCorp Vault
  4. 4. What Vault does ● Secures, stores, and tightly controls access to ○ Tokens ○ Passwords ○ Certificates ○ API keys ○ and other secrets in modern computing ● Handles leasing, key revocation, key rolling, and auditing ● Encrypts and decrypts data without storing it CloudOps.com | 4
  5. 5. Why Vault is useful ● Designed specifically for secrets storage ● Prevents developers/operations from reinventing the wheel ● Open source (Mozilla Public License 2.0) and community-driven ● Should be used for everything, not only CloudStack CloudOps.com | 5
  6. 6. High-level Architecture Vault basic intro CloudOps.com | 6
  7. 7. Best Practice In practice, operators should not use the token create command to generate Vault tokens for users or machines. Instead, those users or machines should authenticate to Vault using any of Vault's configured auth methods such as GitHub, LDAP, AppRole, etc. https://www.vaultproject.io/intro/getting-started/authentication.html#best-practice Vault basic intro Authentication Method ● Token ○ Fixed mechanism ● AppRole ○ Dynamic mechanism CloudOps.com | 7
  8. 8. Vault basic intro Secrets Engines ● Key/Value ● PKI (Certificates) ● Databases ● SSH ● Transit ● TOTP ● etc. CloudOps.com | 8
  9. 9. Apache CloudStack
  10. 10. IKEv2 VPN ● Implemented to replace L2TP ○ More Secure ○ Relatively faster ○ Manages multiple clients behind one corporate firewall ● Enable IKEv2 VPN in Global Settings ○ remote.access.vpn.type : Type of VPN (ikev2 or l2tp) CloudOps.com | 10
  11. 11. IKEv2 VPN pki.engine.certificate.brand Brand name to be used in Certificate's common name CloudStack pki.engine.certificate.common.name Certificate's common name template __BRAND__ VPN __DOMAIN__ CA pki.engine.vault.cca.ttl Vault PKI root CA TTL 2 days pki.engine.vault.enabled Enable Vault as the backend PKI engine false pki.engine.vault.mount.path Vault PKI mount point prefix pki/cloudstack pki.engine.vault.role.name Vault PKI role name cloudstack-vpn pki.engine.vault.role.ttl Vault PKI role TTL 43800h pki.engine.vault.token Token to access Vault pki.engine.vault.token.role.id App Role id to be used to fetch token to access Vault pki.engine.vault.token.secret.id Secret id to be used to fetch token to access Vault pki.engine.vault.ttl Vault PKI TTL 87600h pki.engine.vault.url Full URL of Vault endpoint
  12. 12. IKEv2 VPN Required policies for AppRole ● mount-pki-cloudstack ● pki-cloudstack CloudOps.com | 12 { "path": { "sys/mounts/pki/cloudstack/*": { "capabilities": ["read", "update"] } } } { "path": { "pki/cloudstack/*": { "capabilities": ["read","update"] } } }
  13. 13. Secure/Hidden Configs ● Implemented to replace DBEncryptionUtil ○ Offload CPU usage to Vault ○ Much more secure than PBEWithMD5AndDES ● Enable Secure Configs in Global Settings ○ secure.configs.vault.enabled : true CloudOps.com | 13
  14. 14. Secure/Hidden Configs secure.configs.vault.enabled Enable Vault as the backend Transit engine false secure.configs.vault.key.name Vault Transit key name cloudstack-transit secure.configs.vault.mount.path Vault Transit mount point prefix transit/cloudstack secure.configs.vault.token Token to access Vault secure.configs.vault.token.role.id App Role id to be used to fetch token to access Vault secure.configs.vault.token.secret.id Secret id to be used to fetch token to access Vault secure.configs.vault.url Full URL of Vault endpoint
  15. 15. Secure/Hidden Configs Required policies for AppRole ● mount-transit-cloudstack ● transit-cloudstack CloudOps.com | 15 { "path": { "sys/mounts/transit/cloudstack/*": { "capabilities": ["read", "update"] } } } { "path": { "transit/cloudstack/*": { "capabilities": ["read","update"] } } }
  16. 16. What’s Next
  17. 17. Future Enhancements ● Generate dynamic database credential instead of fixed root:cloud and cloud:cloud ● Generate SSH key for SystemVMs instead of building and injecting locally ● Use One-Time SSH Passwords to connect to SystemVMs instead/alongside of random password ● ... CloudOps.com | 17
  18. 18. Khosrow Moossavi kmoossavi@cloudops.com @khos2ow Thank you

×