Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A way to share secrets in your pipeline - Hashidays 2018

849 views

Published on

On hybrid platform (cloud and on premise), Renault and D2SI worked on a simple and secure solution to implement a centralized secret management using Vault.

In this talk, Julien will explain how in close collaboration with Mehdi and the team at D2SI have implemented a way to consume secrets in the CI / CD chain with different mechanisms to provide and share secrets in containers and pipelines.

Published in: Technology
  • Be the first to comment

A way to share secrets in your pipeline - Hashidays 2018

  1. 1. VA U LT H a s h i D a y s A m s t e r d a m JUNE 25-27
  2. 2. PRESENTATION 2 1 June 25-27 Hashidays Amsterdam
  3. 3. RENAULT PRESENTATION 3 June 25-27 Hashidays Amsterdam Renault and Nissan have been strategic partners since 1999, forming a one-of-a-kind alliance in the automotive world. Arsonneau julien Devops Engineer
  4. 4. D2SI ACADEMY June 25-27 Hashidays Amsterdam4 EXPERIMENTTHEORY SOCIAL AND ME MEHDI LARUELLE
  5. 5. 2 June 25-27 Hashidays Amsterdam5 CONTEXT
  6. 6. CONTEXT 6 # G L O B A L S O L U T I O N S O F S E C R E T S # S E C U R I T Y A P P r o l e R a d i u s L d a p # M U LT I E N V I R O N M E N T P u b l i c C l o u d / P r i v a t e C l o u d June 25-27 Hashidays Amsterdam # F O R P I P E L I N E G i t l a b J e n k i n s # A P P W I T H C O N TA I N E R E C S S w a r m # D E V O P S S E C R E T S U n b o a r d i n g / t e r r a f o r m
  7. 7. ARCHITECTURE Date Header goes here7 3
  8. 8. ARCHITECTURE 8 June 25-27 Hashidays Amsterdam
  9. 9. PROJECT LIFE CYCLE 9 4 P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E June 25-27 Hashidays Amsterdam
  10. 10. PROVISIONING 10 PIPELIN E A C TOR S OPERATOR RADIUS Authentication Policy to create or update secrets ORCHESTRATOR TOKEN Authentication Policy to create only Secret ID for specific project PROJECT Role IDSecret ID TOKEN Policy by project environment (dev, prod) APPROLE Authentication P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E June 25-27 Hashidays Amsterdam
  11. 11. PROVISIONING 11 POLIC IES & R OLE ID PROJECT OPERATOR 3. Adjust the policies & path for Project need ORCHESTRATOR 5. Terraform plan & apply inside CI/CD P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E June 25-27 Hashidays Amsterdam
  12. 12. PROVISIONING 12 PR OJEC T POLIC Y FOR D EV /secret P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E /secret/projects /secret/projects/coachdevops /secret/projects/coachdevops/dev /secret/projects/coachdevops/dev/keys/* /secret/projects/coachdevops/ dev/db/adm /secret/projects/coachdevops/ dev/db/rw /secret/projects/coachdevops/ dev/db/r /secret/projects/coachdevops/dev/keys /secret/projects/coachdevops/dev/db/secret/projects/coachdevops/dev/idp June 25-27 Hashidays Amsterdam
  13. 13. June 25-27 Hashidays Amsterdam13 PROVISIONING P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E Terraform.tfvars Variables.tf St ep 5: Plan and apply Terraf orm f iles in C I/C D
  14. 14. TOOLS UPDATE 14 P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E June 25-27 Hashidays Amsterdam Specific Policy to create or update Approle Call script Tools
  15. 15. HUMAN UPDATE 15 P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E June 25-27 Hashidays Amsterdam UI Product owner,DBA, Storage admin, etc Radius/LDAP
  16. 16. HUMAN UPDATE 16 P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E June 25-27 Hashidays Amsterdam DEMONSTRATION /secret /secret/projects /secret/projects/coachdevops /secret/projects/coachdevops/dev /secret/projects/coachdevops/dev/keys/* /secret/projects/coachdevops/ dev/db/adm /secret/projects/coachdevops/ dev/db/rw /secret/projects/coachdevops/ dev/db/r /secret/projects/coachdevops/dev/keys /secret/projects/coachdevops/dev/db/secret/projects/coachdevops/dev/idp /secret/projects/coachdevops/dev/key By UIBy script
  17. 17. APP ROLE DEFINITION 17 June 25-27 Hashidays Amsterdam P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E 1. Create policy and role for apps 2. Get Role ID 3. Generate a new Secret ID 4. Deliver Role ID 5. Deliver Secret ID 7. Return a token ADMIN APP
  18. 18. TRANSITION 18 June 25-27 Hashidays Amsterdam P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E Wrap with RoleId + Role Name Define variables on ci tools
  19. 19. June 25-27 Hashidays Amsterdam19 getSecretID 2 Set Role Name 3 Authenticate with Orchestrator Token 4 Deliver Wrap with Secret ID 5Get Wrap 6 Set Role ID Set Secret ID 7 Authenticate With Role ID + Secret ID 8 Deliver Secrets CI / CD Pipeline PROJECT TEAM 1 Launch Job / Pipeline P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E
  20. 20. DELIVERY OF GETSECRETID 20 June 25-27 Hashidays Amsterdam P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E CRONJOB OPS AUTHENTICATE WITH OPS TOKEN OR APP ROLE GENERATE ORCHESTRATOR TOKEN
  21. 21. TH A N K YOU ! H a s h i D a y s A m s t e r d a m

×