SlideShare a Scribd company logo

Secrets management vault cncf meetup

J
Juraj Hantak

21 cncf https://www.vaultproject.io/

Internet
1 of 21
Download to read offline
Do’s and Don’ts | Peter Gasper | 16.6.2021 Secrets Management
Whoami Peter Gasper - security engineer - practicing DevOps at Deutsche Telekom Pan-Net - currently „Access & Encryption“ squad lead Slack: cncfsk - #Peter Gasper e-mail: peter@gasper.cc Blog: https://malgregator.com GitHub: https://github.com/viralpoetry
Agenda - Problems with secrets - HashiCorp Vault - Vault‘s journey in Pan-Net - Vault Open Source limitations - Conclusion
If you are maintaining applications, at some point you have to: - rebuild infrastructure - change password - share credentials - revoke access Sensitive data often used during deployment: - API keys - SSH credentials - passwords Problems with secrets
Secret is anything used for authentication, authorization or encryption: - Webserver (TLS cert, DB credentials, API keys) - FreeRADIUS (shared secret with the VPN HW) - Database (credentials – user/password) Common problems: - Sensitive credentials and keys are stored in code repository (GitLab, GitHub, …) - Sensitive credentials and keys are stored in plain text - Sensitive credentials and keys are shared in numerous places 5 Problems with secrets
Traditional approach – small teams: - PGP - git-crypt - ansible-vault Problems: - secrets are still committed to a version control repository - people leaving organization – access to keys/passwords can‘t be revoked – rotate all the secrets - basically, no lifecycle Problems with secrets
Problems with secrets Solution - infrastructure “password” manager Basic Requirements: - single source of truth - provides API interface - encryption - detailed auditing - ability to revoke access - multiple authentication methods - highly available 7 Existing solutions - Keywhiz by Square - Confidant by Lyft - Conjur by CyberArk - Vault by HashiCorp
We chose Hashicorp Vault - Golang binary - highly available key/value store - encryption – Shamir secret sharing scheme - easy prototyping (vault server -dev) Vault by HashiCorp
Vault by HashiCorp Storage backends – Raft, Consul, Etcd, FoundationDB Secrets Engines - Static - k/v store for any blob of data – passwords, API tokens etc. - Dynamic - Database credentials, SSH access, AWS, Google Cloud, etc. - Encryption - PKI certificate authority, Transit backend Auth Methods - machine oriented (TLS, JWT, Tokens) - user oriented (user/pass, LDAP, GitHub, OKTA, Kubernetes, Radius, ...) 9 VAULT IS FOR SECRETS
Vault by HashiCorp 10 Every succesful authentication backend results in a token. Every token has access rights based on defined policy. Secrets are accessed using tokens.
Vault by HashiCorp 11 Token: - has expiration (TTL) - can be renewed
Vault by HashiCorp - CLI usage 12
Vault by HashiCorp - Ansible roles You define Vault address, mount point, path & name of a secret, e.g. radius_vpn_secret. Roles can generate the passwords if it does not exist 13 - hosts: radius-vpn gather_facts: no become: yes vars: - vault_mount: ”secret” - vault_path: ”my_project” - vars_stored: - { var: ’ldap_bind_password’ , key: ‘password’ , password: yes } - { var: ’radius_vpn_secret’ , key: ‘password’ , password: yes , length: 12 } roles: - ansible-load-secrets - ansible-save-secrets - ansible-freeradius
2017 – MVP, basic workflow - Vault v0.6.5, single instance with filesystem backend, deployed with Ansible - Operation: exchange GPG keys, create policy, issue & deliver tokens - ansible-load-secrets, ansible-save-secrets roles Vault‘s journey in Pan-Net
2018 – resiliency, more automation - whole provisioning & deployment as a code - access policies provisioned from Gitlab repo - rolling updates & HA setup with Consul Vault‘s journey in Pan-Net
2019 – Self-Service Due to operation hell, we started designing self-service for the most common use case. You ask for a “safe“, then you can issue tokens for path and subpaths by yourself. Modus operandi: - logged-in person is mapped to an identity - “Safe“ is Vault identity group - group has policies - groups are added/removed to identities Vault‘s journey in Pan-Net
2021 – way more clusters - migrating to Raft integrated storage - Gitlab integration using JWT in the pipeline - multiple new clusters deployed using Helm charts Vault‘s journey in Pan-Net
Limitations of the open-source version when doing advanced topics: - georedundancy - shamir secret unsealing for the first Vault - no PKCS #11 support for unsealing nor PKI - audit backend settings are not propagated in HA Vault Open Source limitations
Conclusion If I would start again: - secrets management reflects organizational structure, start with authn/authz lifecycle - use dynamic secrets engines for new infra - use policy templates, identity groups, automate role provisioning - write less Ansible for a setup phase, used libraries like Python HVAC instead
THANKS FOR LISTENING.
Pictures used https://learn.hashicorp.com/img/vault-auth-basic-2.png https://learn.hashicorp.com/img/vault-autounseal-12.png https://easydrawingguides.com/wp-content/uploads/2020/12/Spilt-Milk-Step-10.png

Recommended

23 meetup rancher
23 meetup rancher23 meetup rancher
23 meetup rancherJuraj Hantak
 
16. Cncf meetup-docker
16. Cncf meetup-docker16. Cncf meetup-docker
16. Cncf meetup-dockerJuraj Hantak
 
Implementing Progressive Delivery with Your Team (by Leigh Capili)
Implementing Progressive Delivery with Your Team (by Leigh Capili)Implementing Progressive Delivery with Your Team (by Leigh Capili)
Implementing Progressive Delivery with Your Team (by Leigh Capili)Weaveworks
 
Cloud Native User Group: Prometheus Day 2
Cloud Native User Group: Prometheus Day 2Cloud Native User Group: Prometheus Day 2
Cloud Native User Group: Prometheus Day 2smalltown
 
How to manage Kubernetes at scale with just git
How to manage Kubernetes at scale with just git How to manage Kubernetes at scale with just git
How to manage Kubernetes at scale with just git Weaveworks
 
Promise of DevOps
Promise of DevOpsPromise of DevOps
Promise of DevOpsJuraj Hantak
 
WKSctl: Gitops Management of Kubernetes Clusters
WKSctl: Gitops Management of Kubernetes ClustersWKSctl: Gitops Management of Kubernetes Clusters
WKSctl: Gitops Management of Kubernetes ClustersWeaveworks
 
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Codemotion
 

Recommended

23 meetup rancher
23 meetup rancher23 meetup rancher
23 meetup rancherJuraj Hantak
 
16. Cncf meetup-docker
16. Cncf meetup-docker16. Cncf meetup-docker
16. Cncf meetup-dockerJuraj Hantak
 
Implementing Progressive Delivery with Your Team (by Leigh Capili)
Implementing Progressive Delivery with Your Team (by Leigh Capili)Implementing Progressive Delivery with Your Team (by Leigh Capili)
Implementing Progressive Delivery with Your Team (by Leigh Capili)Weaveworks
 
Cloud Native User Group: Prometheus Day 2
Cloud Native User Group: Prometheus Day 2Cloud Native User Group: Prometheus Day 2
Cloud Native User Group: Prometheus Day 2smalltown
 
How to manage Kubernetes at scale with just git
How to manage Kubernetes at scale with just git How to manage Kubernetes at scale with just git
How to manage Kubernetes at scale with just git Weaveworks
 
Promise of DevOps
Promise of DevOpsPromise of DevOps
Promise of DevOpsJuraj Hantak
 
WKSctl: Gitops Management of Kubernetes Clusters
WKSctl: Gitops Management of Kubernetes ClustersWKSctl: Gitops Management of Kubernetes Clusters
WKSctl: Gitops Management of Kubernetes ClustersWeaveworks
 
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Codemotion
 
利用K8S實現高可靠應用
利用K8S實現高可靠應用利用K8S實現高可靠應用
利用K8S實現高可靠應用inwin stack
 
Kubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best PracticesKubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best PracticesAjeet Singh Raina
 
Moby and Kubernetes entitlements
Moby and Kubernetes entitlements Moby and Kubernetes entitlements
Moby and Kubernetes entitlements Docker, Inc.
 
DockerCon EU 2015: Deploying and Managing Containers for Developers
DockerCon EU 2015: Deploying and Managing Containers for DevelopersDockerCon EU 2015: Deploying and Managing Containers for Developers
DockerCon EU 2015: Deploying and Managing Containers for DevelopersDocker, Inc.
 
Intro to creating kubernetes operators
Intro to creating kubernetes operators Intro to creating kubernetes operators
Intro to creating kubernetes operators Juraj Hantak
 
Kubernetes day 2_jozef_halgas_pf
Kubernetes day 2_jozef_halgas_pfKubernetes day 2_jozef_halgas_pf
Kubernetes day 2_jozef_halgas_pfJuraj Hantak
 
Criteo meetup - S.R.E Tech Talk
Criteo meetup - S.R.E Tech TalkCriteo meetup - S.R.E Tech Talk
Criteo meetup - S.R.E Tech TalkPierre Mavro
 
KubeCon EU 2016: Heroku to Kubernetes
KubeCon EU 2016: Heroku to KubernetesKubeCon EU 2016: Heroku to Kubernetes
KubeCon EU 2016: Heroku to KubernetesKubeAcademy
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes securitySaiyam Pathak
 
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)inwin stack
 
KubeCon EU 2016: Multi-Tenant Kubernetes
KubeCon EU 2016: Multi-Tenant KubernetesKubeCon EU 2016: Multi-Tenant Kubernetes
KubeCon EU 2016: Multi-Tenant KubernetesKubeAcademy
 
KubeCon EU 2016 Keynote: Pushing Kubernetes Forward
KubeCon EU 2016 Keynote: Pushing Kubernetes ForwardKubeCon EU 2016 Keynote: Pushing Kubernetes Forward
KubeCon EU 2016 Keynote: Pushing Kubernetes ForwardKubeAcademy
 
Multi-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with VeleroMulti-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with VeleroKublr
 
Openshift presentation
Openshift presentationOpenshift presentation
Openshift presentationArmağan Ersöz
 
KUBERNETES AS A FRAMEWORK FOR WRITING DEVOPS & MICROSERVICES TOOLING
KUBERNETES AS A FRAMEWORK FOR WRITING DEVOPS & MICROSERVICES TOOLINGKUBERNETES AS A FRAMEWORK FOR WRITING DEVOPS & MICROSERVICES TOOLING
KUBERNETES AS A FRAMEWORK FOR WRITING DEVOPS & MICROSERVICES TOOLINGCodeOps Technologies LLP
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Clustersmalltown
 
Kubernetes and OpenStack at Scale
Kubernetes and OpenStack at ScaleKubernetes and OpenStack at Scale
Kubernetes and OpenStack at ScaleStephen Gordon
 
CDK Meetup: Rule the World through IaC
CDK Meetup: Rule the World through IaCCDK Meetup: Rule the World through IaC
CDK Meetup: Rule the World through IaCsmalltown
 
Implementing an Automated Staging Environment
Implementing an Automated Staging EnvironmentImplementing an Automated Staging Environment
Implementing an Automated Staging EnvironmentDaniel Oliveira Filho
 
A GitOps model for High Availability and Disaster Recovery on EKS
A GitOps model for High Availability and Disaster Recovery on EKSA GitOps model for High Availability and Disaster Recovery on EKS
A GitOps model for High Availability and Disaster Recovery on EKSWeaveworks
 
Continuous Security
Continuous SecurityContinuous Security
Continuous SecuritySysdig
 
Kubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiKubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiRita Zhang
 

More Related Content

What's hot

利用K8S實現高可靠應用
利用K8S實現高可靠應用利用K8S實現高可靠應用
利用K8S實現高可靠應用inwin stack
 
Kubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best PracticesKubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best PracticesAjeet Singh Raina
 
Moby and Kubernetes entitlements
Moby and Kubernetes entitlements Moby and Kubernetes entitlements
Moby and Kubernetes entitlements Docker, Inc.
 
DockerCon EU 2015: Deploying and Managing Containers for Developers
DockerCon EU 2015: Deploying and Managing Containers for DevelopersDockerCon EU 2015: Deploying and Managing Containers for Developers
DockerCon EU 2015: Deploying and Managing Containers for DevelopersDocker, Inc.
 
Intro to creating kubernetes operators
Intro to creating kubernetes operators Intro to creating kubernetes operators
Intro to creating kubernetes operators Juraj Hantak
 
Kubernetes day 2_jozef_halgas_pf
Kubernetes day 2_jozef_halgas_pfKubernetes day 2_jozef_halgas_pf
Kubernetes day 2_jozef_halgas_pfJuraj Hantak
 
Criteo meetup - S.R.E Tech Talk
Criteo meetup - S.R.E Tech TalkCriteo meetup - S.R.E Tech Talk
Criteo meetup - S.R.E Tech TalkPierre Mavro
 
KubeCon EU 2016: Heroku to Kubernetes
KubeCon EU 2016: Heroku to KubernetesKubeCon EU 2016: Heroku to Kubernetes
KubeCon EU 2016: Heroku to KubernetesKubeAcademy
 
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)inwin stack
 
KubeCon EU 2016: Multi-Tenant Kubernetes
KubeCon EU 2016: Multi-Tenant KubernetesKubeCon EU 2016: Multi-Tenant Kubernetes
KubeCon EU 2016: Multi-Tenant KubernetesKubeAcademy
 
KubeCon EU 2016 Keynote: Pushing Kubernetes Forward
KubeCon EU 2016 Keynote: Pushing Kubernetes ForwardKubeCon EU 2016 Keynote: Pushing Kubernetes Forward
KubeCon EU 2016 Keynote: Pushing Kubernetes ForwardKubeAcademy
 
Multi-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with VeleroMulti-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with VeleroKublr
 
KUBERNETES AS A FRAMEWORK FOR WRITING DEVOPS & MICROSERVICES TOOLING
KUBERNETES AS A FRAMEWORK FOR WRITING DEVOPS & MICROSERVICES TOOLINGKUBERNETES AS A FRAMEWORK FOR WRITING DEVOPS & MICROSERVICES TOOLING
KUBERNETES AS A FRAMEWORK FOR WRITING DEVOPS & MICROSERVICES TOOLINGCodeOps Technologies LLP
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Clustersmalltown
 
Kubernetes and OpenStack at Scale
Kubernetes and OpenStack at ScaleKubernetes and OpenStack at Scale
Kubernetes and OpenStack at ScaleStephen Gordon
 
CDK Meetup: Rule the World through IaC
CDK Meetup: Rule the World through IaCCDK Meetup: Rule the World through IaC
CDK Meetup: Rule the World through IaCsmalltown
 
Implementing an Automated Staging Environment
Implementing an Automated Staging EnvironmentImplementing an Automated Staging Environment
Implementing an Automated Staging EnvironmentDaniel Oliveira Filho
 
A GitOps model for High Availability and Disaster Recovery on EKS
A GitOps model for High Availability and Disaster Recovery on EKSA GitOps model for High Availability and Disaster Recovery on EKS
A GitOps model for High Availability and Disaster Recovery on EKSWeaveworks
 

What's hot (20)

利用K8S實現高可靠應用
利用K8S實現高可靠應用利用K8S實現高可靠應用
利用K8S實現高可靠應用
 
Kubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best PracticesKubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best Practices
 
Moby and Kubernetes entitlements
Moby and Kubernetes entitlements Moby and Kubernetes entitlements
Moby and Kubernetes entitlements
 
DockerCon EU 2015: Deploying and Managing Containers for Developers
DockerCon EU 2015: Deploying and Managing Containers for DevelopersDockerCon EU 2015: Deploying and Managing Containers for Developers
DockerCon EU 2015: Deploying and Managing Containers for Developers
 
Intro to creating kubernetes operators
Intro to creating kubernetes operators Intro to creating kubernetes operators
Intro to creating kubernetes operators
 
Kubernetes day 2_jozef_halgas_pf
Kubernetes day 2_jozef_halgas_pfKubernetes day 2_jozef_halgas_pf
Kubernetes day 2_jozef_halgas_pf
 
Criteo meetup - S.R.E Tech Talk
Criteo meetup - S.R.E Tech TalkCriteo meetup - S.R.E Tech Talk
Criteo meetup - S.R.E Tech Talk
 
KubeCon EU 2016: Heroku to Kubernetes
KubeCon EU 2016: Heroku to KubernetesKubeCon EU 2016: Heroku to Kubernetes
KubeCon EU 2016: Heroku to Kubernetes
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
 
KubeCon EU 2016: Multi-Tenant Kubernetes
KubeCon EU 2016: Multi-Tenant KubernetesKubeCon EU 2016: Multi-Tenant Kubernetes
KubeCon EU 2016: Multi-Tenant Kubernetes
 
KubeCon EU 2016 Keynote: Pushing Kubernetes Forward
KubeCon EU 2016 Keynote: Pushing Kubernetes ForwardKubeCon EU 2016 Keynote: Pushing Kubernetes Forward
KubeCon EU 2016 Keynote: Pushing Kubernetes Forward
 
Multi-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with VeleroMulti-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with Velero
 
Openshift presentation
Openshift presentationOpenshift presentation
Openshift presentation
 
KUBERNETES AS A FRAMEWORK FOR WRITING DEVOPS & MICROSERVICES TOOLING
KUBERNETES AS A FRAMEWORK FOR WRITING DEVOPS & MICROSERVICES TOOLINGKUBERNETES AS A FRAMEWORK FOR WRITING DEVOPS & MICROSERVICES TOOLING
KUBERNETES AS A FRAMEWORK FOR WRITING DEVOPS & MICROSERVICES TOOLING
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
 
Kubernetes and OpenStack at Scale
Kubernetes and OpenStack at ScaleKubernetes and OpenStack at Scale
Kubernetes and OpenStack at Scale
 
CDK Meetup: Rule the World through IaC
CDK Meetup: Rule the World through IaCCDK Meetup: Rule the World through IaC
CDK Meetup: Rule the World through IaC
 
Implementing an Automated Staging Environment
Implementing an Automated Staging EnvironmentImplementing an Automated Staging Environment
Implementing an Automated Staging Environment
 
A GitOps model for High Availability and Disaster Recovery on EKS
A GitOps model for High Availability and Disaster Recovery on EKSA GitOps model for High Availability and Disaster Recovery on EKS
A GitOps model for High Availability and Disaster Recovery on EKS
 

Similar to Secrets management vault cncf meetup

Continuous Security
Continuous SecurityContinuous Security
Continuous SecuritySysdig
 
Kubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiKubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiRita Zhang
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesSysdig
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Securing Hadoop - MapR Technologies
Securing Hadoop - MapR TechnologiesSecuring Hadoop - MapR Technologies
Securing Hadoop - MapR TechnologiesMapR Technologies
 
JDO 2019: What you should be aware of before setting up kubernetes on premise...
JDO 2019: What you should be aware of before setting up kubernetes on premise...JDO 2019: What you should be aware of before setting up kubernetes on premise...
JDO 2019: What you should be aware of before setting up kubernetes on premise...PROIDEA
 
Cloud Data Encryption (Aluhut Edition) - 2019
Cloud Data Encryption (Aluhut Edition) - 2019Cloud Data Encryption (Aluhut Edition) - 2019
Cloud Data Encryption (Aluhut Edition) - 2019Matthias Grawinkel
 
Create a Varnish cluster in Kubernetes for Drupal caching - DrupalCon North A...
Create a Varnish cluster in Kubernetes for Drupal caching - DrupalCon North A...Create a Varnish cluster in Kubernetes for Drupal caching - DrupalCon North A...
Create a Varnish cluster in Kubernetes for Drupal caching - DrupalCon North A...Ovadiah Myrgorod
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoOpsta
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Abdelkrim Hadjidj
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsGianluca Varisco
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips confluent
 
BigData Security - A Point of View
BigData Security - A Point of ViewBigData Security - A Point of View
BigData Security - A Point of ViewKaran Alang
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Toni de la Fuente
 

Similar to Secrets management vault cncf meetup (20)

Continuous Security
Continuous SecurityContinuous Security
Continuous Security
 
Kubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiKubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csi
 
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheConTechnical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
Securing Hadoop - MapR Technologies
Securing Hadoop - MapR TechnologiesSecuring Hadoop - MapR Technologies
Securing Hadoop - MapR Technologies
 
JDO 2019: What you should be aware of before setting up kubernetes on premise...
JDO 2019: What you should be aware of before setting up kubernetes on premise...JDO 2019: What you should be aware of before setting up kubernetes on premise...
JDO 2019: What you should be aware of before setting up kubernetes on premise...
 
Cloud Data Encryption (Aluhut Edition) - 2019
Cloud Data Encryption (Aluhut Edition) - 2019Cloud Data Encryption (Aluhut Edition) - 2019
Cloud Data Encryption (Aluhut Edition) - 2019
 
Create a Varnish cluster in Kubernetes for Drupal caching - DrupalCon North A...
Create a Varnish cluster in Kubernetes for Drupal caching - DrupalCon North A...Create a Varnish cluster in Kubernetes for Drupal caching - DrupalCon North A...
Create a Varnish cluster in Kubernetes for Drupal caching - DrupalCon North A...
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with Demo
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
 
BigData Security - A Point of View
BigData Security - A Point of ViewBigData Security - A Point of View
BigData Security - A Point of View
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 

More from Juraj Hantak

Kubernetes day 2 @ zse energia
Kubernetes day 2 @ zse energiaKubernetes day 2 @ zse energia
Kubernetes day 2 @ zse energiaJuraj Hantak
 
Dev ops culture_final
Dev ops culture_finalDev ops culture_final
Dev ops culture_finalJuraj Hantak
 
Integracia security do ci cd pipelines
Integracia security do ci cd pipelinesIntegracia security do ci cd pipelines
Integracia security do ci cd pipelinesJuraj Hantak
 
Introductiontohelmcharts2021
Introductiontohelmcharts2021Introductiontohelmcharts2021
Introductiontohelmcharts2021Juraj Hantak
 
19. stretnutie komunity kubernetes
19. stretnutie komunity kubernetes19. stretnutie komunity kubernetes
19. stretnutie komunity kubernetesJuraj Hantak
 
16. meetup sietovy model v kubernetes
16. meetup sietovy model v kubernetes16. meetup sietovy model v kubernetes
16. meetup sietovy model v kubernetesJuraj Hantak
 
Terraform a gitlab ci
Terraform a gitlab ciTerraform a gitlab ci
Terraform a gitlab ciJuraj Hantak
 
Monitoring with prometheus at scale
Monitoring with prometheus at scaleMonitoring with prometheus at scale
Monitoring with prometheus at scaleJuraj Hantak
 
Kubernetes monitoring using prometheus stack
Kubernetes monitoring using prometheus stackKubernetes monitoring using prometheus stack
Kubernetes monitoring using prometheus stackJuraj Hantak
 
12.cncfsk meetup observability and analysis
12.cncfsk meetup observability and analysis12.cncfsk meetup observability and analysis
12.cncfsk meetup observability and analysisJuraj Hantak
 
Nginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lkNginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lkJuraj Hantak
 
10. th cncf meetup - Routing microservice-architectures-with-traefik-cncfsk
10. th cncf meetup - Routing microservice-architectures-with-traefik-cncfsk10. th cncf meetup - Routing microservice-architectures-with-traefik-cncfsk
10. th cncf meetup - Routing microservice-architectures-with-traefik-cncfskJuraj Hantak
 
10.cncfsk en-story
10.cncfsk en-story10.cncfsk en-story
10.cncfsk en-storyJuraj Hantak
 
Ingress controller present, past and future
Ingress controller present, past and futureIngress controller present, past and future
Ingress controller present, past and futureJuraj Hantak
 
Cncf meetup-service-mesh-sk
Cncf meetup-service-mesh-skCncf meetup-service-mesh-sk
Cncf meetup-service-mesh-skJuraj Hantak
 
Kubernetes ingress-pixelfederation
Kubernetes ingress-pixelfederationKubernetes ingress-pixelfederation
Kubernetes ingress-pixelfederationJuraj Hantak
 

More from Juraj Hantak (20)

Kubernetes day 2 @ zse energia
Kubernetes day 2 @ zse energiaKubernetes day 2 @ zse energia
Kubernetes day 2 @ zse energia
 
Dev ops culture_final
Dev ops culture_finalDev ops culture_final
Dev ops culture_final
 
Integracia security do ci cd pipelines
Integracia security do ci cd pipelinesIntegracia security do ci cd pipelines
Integracia security do ci cd pipelines
 
CNCF opa
CNCF opaCNCF opa
CNCF opa
 
Introductiontohelmcharts2021
Introductiontohelmcharts2021Introductiontohelmcharts2021
Introductiontohelmcharts2021
 
19. stretnutie komunity kubernetes
19. stretnutie komunity kubernetes19. stretnutie komunity kubernetes
19. stretnutie komunity kubernetes
 
16. meetup sietovy model v kubernetes
16. meetup sietovy model v kubernetes16. meetup sietovy model v kubernetes
16. meetup sietovy model v kubernetes
 
16.meetup uvod
16.meetup uvod16.meetup uvod
16.meetup uvod
 
14. meetup
14. meetup14. meetup
14. meetup
 
Terraform a gitlab ci
Terraform a gitlab ciTerraform a gitlab ci
Terraform a gitlab ci
 
Monitoring with prometheus at scale
Monitoring with prometheus at scaleMonitoring with prometheus at scale
Monitoring with prometheus at scale
 
Kubernetes monitoring using prometheus stack
Kubernetes monitoring using prometheus stackKubernetes monitoring using prometheus stack
Kubernetes monitoring using prometheus stack
 
12.cncfsk meetup observability and analysis
12.cncfsk meetup observability and analysis12.cncfsk meetup observability and analysis
12.cncfsk meetup observability and analysis
 
Grafana 7.0
Grafana 7.0Grafana 7.0
Grafana 7.0
 
Nginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lkNginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lk
 
10. th cncf meetup - Routing microservice-architectures-with-traefik-cncfsk
10. th cncf meetup - Routing microservice-architectures-with-traefik-cncfsk10. th cncf meetup - Routing microservice-architectures-with-traefik-cncfsk
10. th cncf meetup - Routing microservice-architectures-with-traefik-cncfsk
 
10.cncfsk en-story
10.cncfsk en-story10.cncfsk en-story
10.cncfsk en-story
 
Ingress controller present, past and future
Ingress controller present, past and futureIngress controller present, past and future
Ingress controller present, past and future
 
Cncf meetup-service-mesh-sk
Cncf meetup-service-mesh-skCncf meetup-service-mesh-sk
Cncf meetup-service-mesh-sk
 
Kubernetes ingress-pixelfederation
Kubernetes ingress-pixelfederationKubernetes ingress-pixelfederation
Kubernetes ingress-pixelfederation
 

Recently uploaded

Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsstephieert
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 

Recently uploaded (20)

Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girls
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 

Secrets management vault cncf meetup

  • 1. Do’s and Don’ts | Peter Gasper | 16.6.2021 Secrets Management
  • 2. Whoami Peter Gasper - security engineer - practicing DevOps at Deutsche Telekom Pan-Net - currently „Access & Encryption“ squad lead Slack: cncfsk - #Peter Gasper e-mail: peter@gasper.cc Blog: https://malgregator.com GitHub: https://github.com/viralpoetry
  • 3. Agenda - Problems with secrets - HashiCorp Vault - Vault‘s journey in Pan-Net - Vault Open Source limitations - Conclusion
  • 4. If you are maintaining applications, at some point you have to: - rebuild infrastructure - change password - share credentials - revoke access Sensitive data often used during deployment: - API keys - SSH credentials - passwords Problems with secrets
  • 5. Secret is anything used for authentication, authorization or encryption: - Webserver (TLS cert, DB credentials, API keys) - FreeRADIUS (shared secret with the VPN HW) - Database (credentials – user/password) Common problems: - Sensitive credentials and keys are stored in code repository (GitLab, GitHub, …) - Sensitive credentials and keys are stored in plain text - Sensitive credentials and keys are shared in numerous places 5 Problems with secrets
  • 6. Traditional approach – small teams: - PGP - git-crypt - ansible-vault Problems: - secrets are still committed to a version control repository - people leaving organization – access to keys/passwords can‘t be revoked – rotate all the secrets - basically, no lifecycle Problems with secrets
  • 7. Problems with secrets Solution - infrastructure “password” manager Basic Requirements: - single source of truth - provides API interface - encryption - detailed auditing - ability to revoke access - multiple authentication methods - highly available 7 Existing solutions - Keywhiz by Square - Confidant by Lyft - Conjur by CyberArk - Vault by HashiCorp
  • 8. We chose Hashicorp Vault - Golang binary - highly available key/value store - encryption – Shamir secret sharing scheme - easy prototyping (vault server -dev) Vault by HashiCorp
  • 9. Vault by HashiCorp Storage backends – Raft, Consul, Etcd, FoundationDB Secrets Engines - Static - k/v store for any blob of data – passwords, API tokens etc. - Dynamic - Database credentials, SSH access, AWS, Google Cloud, etc. - Encryption - PKI certificate authority, Transit backend Auth Methods - machine oriented (TLS, JWT, Tokens) - user oriented (user/pass, LDAP, GitHub, OKTA, Kubernetes, Radius, ...) 9 VAULT IS FOR SECRETS
  • 10. Vault by HashiCorp 10 Every succesful authentication backend results in a token. Every token has access rights based on defined policy. Secrets are accessed using tokens.
  • 11. Vault by HashiCorp 11 Token: - has expiration (TTL) - can be renewed
  • 12. Vault by HashiCorp - CLI usage 12
  • 13. Vault by HashiCorp - Ansible roles You define Vault address, mount point, path & name of a secret, e.g. radius_vpn_secret. Roles can generate the passwords if it does not exist 13 - hosts: radius-vpn gather_facts: no become: yes vars: - vault_mount: ”secret” - vault_path: ”my_project” - vars_stored: - { var: ’ldap_bind_password’ , key: ‘password’ , password: yes } - { var: ’radius_vpn_secret’ , key: ‘password’ , password: yes , length: 12 } roles: - ansible-load-secrets - ansible-save-secrets - ansible-freeradius
  • 14. 2017 – MVP, basic workflow - Vault v0.6.5, single instance with filesystem backend, deployed with Ansible - Operation: exchange GPG keys, create policy, issue & deliver tokens - ansible-load-secrets, ansible-save-secrets roles Vault‘s journey in Pan-Net
  • 15. 2018 – resiliency, more automation - whole provisioning & deployment as a code - access policies provisioned from Gitlab repo - rolling updates & HA setup with Consul Vault‘s journey in Pan-Net
  • 16. 2019 – Self-Service Due to operation hell, we started designing self-service for the most common use case. You ask for a “safe“, then you can issue tokens for path and subpaths by yourself. Modus operandi: - logged-in person is mapped to an identity - “Safe“ is Vault identity group - group has policies - groups are added/removed to identities Vault‘s journey in Pan-Net
  • 17. 2021 – way more clusters - migrating to Raft integrated storage - Gitlab integration using JWT in the pipeline - multiple new clusters deployed using Helm charts Vault‘s journey in Pan-Net
  • 18. Limitations of the open-source version when doing advanced topics: - georedundancy - shamir secret unsealing for the first Vault - no PKCS #11 support for unsealing nor PKI - audit backend settings are not propagated in HA Vault Open Source limitations
  • 19. Conclusion If I would start again: - secrets management reflects organizational structure, start with authn/authz lifecycle - use dynamic secrets engines for new infra - use policy templates, identity groups, automate role provisioning - write less Ansible for a setup phase, used libraries like Python HVAC instead