15. Pods: Groups of containers - Share IP and FS
Replica Sets: Controls Number of pods
Services: Access to Pods
16.
17. Why Vault?
● How do Applications get Secrets?
● How do Operators and Developers get Secrets?
● How do secrets get Renewed? Updated? Expired? Revoked?
● How do we block access to secrets?
18.
19. Vault provides
● Single Source for Secrets
● Access via API
● Access via cli
● Leasing, renewal and revocation
● Auditing
● ACLs
● Multiple client authentication methods
● Secure Secret Storage
40. MongoDB Example
● RC with 2 containers
○ MongoDB container: vanilla mongo with AUTH and SSL flags
○ Vault-sidekick container: in charge of fetching/renewing SSL certs
41. 1. A container runs your application
2. A container fetches your secrets from Vault.
Application - POD
42.
43.
44. This is what you should do
1. Create a policy for your app
2. Create a Kubernetes namespace for your app
3. Create a Kubernetes secret with your Vault token
4. Add your secrets to Vault
5. Pod starts
a. Secrets are mounted
b. Pod reads vault token
c. Pod access vault to get secrets
d. Pod is ready
THEORY
45.
46. We can only see a short distance ahead, but we
can see plenty that needs to be done.
- Alan Turing
47. Lessons Learned
● Vault is young… not ready for fully automation
● Deploys
○ Separating secrets and apps is great
○ Make sure your process contemplates Vault
● Backends: consul, dynamo, etcd, s3...
○ what happens if you lose Vault?
○ latency/partitions
● Managing SSL is great but…
○ Be Careful with Root CAs