The document contains an agenda for a Kubernautes II meetup in Vienna on October 18th, 2019. The agenda includes presentations about ME2Digital, Azure Kubernetes Service (AKS), Hashicorp Vault, and how the presenter's company uses Vault and Consul. The document also provides background information on ME2Digital, AKS, the history of Hashicorp, and how Vault works.

1. Kubernautes II
Kubernautes II Meetup Vienna
18.10.2019 1

2. Agenda
• About ME2D
• What’s AKS
• Accelerate containerized application development
• History of Hashicorp
• Hashicorp Vault
• Hashicorp Vault architecture
• Hashicorp Vault Seal
• Hashicorp Vault Setup
• Policy-Authorization Workflow
• How we use Vault and Consul
18.10.2019 2

3. About ME2Digital
• Aleksandar Lazic since ~20 years in IT
• Since 2003 active in haproxy community
• Since 2006 active in nginx community => nginxpert
• Since ??? in curl active community
• Since 2015 in openshift community
• Stay always curious
• I like what I do and I do it with passion ;-)
• I founded ME2Digital in 2017
18.10.2019 3

4. What’s Azure AKS
• Azure Kubernetes Service
• Launched Oct. 24th 2017
• Precursor was ACS (Azure container service)
• More or less Vanilla Kubernetes
●
HA Masters
●
Nodes are Azure VM Machines
●
“harden OS”
• Registry own Product ACR (Azure container registry)
• AKS SLA 99,5% “strive to attain”
18.10.2019 4

6. History of Hashicorp
• Hashicorp founded 2012 by Mitchell Hashimoto and Armon
Dadgar
• Some Products
●
Vagrant => Virtualization tool
●
Packer => Image creation tool
●
Terraform => Provisionig tool
●
Consul => DNS and Key Value Server
●
Vault => Secrets Management Server
18.10.2019 6

7. Hashicorp Vault
• First release Apr. 28th 2015
●
https://www.hashicorp.com/blog/vault-announcement/
• Features
●
Secrets Management (dynamic and static)
●
Automatic TTL handling
●
ACL’s and Auditing
●
Multiple authentication methods
●
Different versions available: OSS and Enterprise
●
API Driven
18.10.2019 7

9. Hashicorp Vault Seal
https://www.vaultproject.io/docs/concepts/seal.html
• Sealed by default
●
When a Vault server is started, it starts in a sealed state. In this
state, Vault is configured to know where and how to access the
physical storage, but doesn't know how to decrypt any of it.
●
Shamir's secret sharing algorithm
●
https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing
●
Fist step is always to unseal the encrypted store
●
Manual unseal
●
https://www.vaultproject.io/docs/commands/operator/unseal.html
●
Auto unseal
●
https://www.vaultproject.io/docs/configuration/seal/azurekeyvault.html
18.10.2019 9

10. Hashicorp Vault Setup
• Configuration via HCL (HashiCorp configuration language)
• Secrets engines https://www.vaultproject.io/docs/secrets/index.html
●
Key / Value
●
PKI
• Different Backends
●
For example Consul which is a HA one
●
Overview of backends
https://www.vaultproject.io/docs/configuration/storage/index.html
• Setup Policies https://www.vaultproject.io/docs/concepts/policies.html
18.10.2019 10

11. Policy-Authorization Workflow
18.10.2019 11

12. How we use Vault and Consul
• Save users password in vault
• Restrict access for applications
• Get database access from vault
• In combination with consul-template get app server access
token
• Create HAProxy configuration from consul services
18.10.2019 12

13. Contact Information's
• LinkedIn: https://www.linkedin.com/in/me2digital/
• SlideShare: https://www.slideshare.net/AleksandarLazic4
• Docker Hub: https://hub.docker.com/u/me2digital/
• GitHub: https://github.com/git001
• Twitter: @ME2Digital
• HP: www.me2digital.com
• E-Mail: office@me2digital.com
• Slack: aleks-me2digital
18.10.2019 13