Secret Management with Hashicorp Vault and Consul on Kubernetes
Download as PPTX, PDF0 likes387 views
The document discusses secret management with Hashicorp Vault and Consul on Kubernetes. It begins with an overview of secret management and why it is important. It then discusses traditional insecure approaches to secret management versus modern secure approaches. Hashicorp Vault is introduced as a tool for modern secret management that provides encrypted secret storage, access control, auditing and more. Features of Vault like leasing, dynamic credentials, authentication methods and enterprise features are covered. The document concludes with demos of using Vault with legacy and new applications on Kubernetes.
Ad
More Related Content
What's hot (20)
Similar to Secret Management with Hashicorp Vault and Consul on Kubernetes (20)
Ad
More from An Nguyen (17)
Ad
Recently uploaded (20)
![Download Wondershare Filmora Crack [2025] With Latest](https://cdn.slidesharecdn.com/ss_thumbnails/neo4j-howkgsareshapingthefutureofgenerativeaiatawssummitlondonapril2024-240426125209-2d9db05d-250419-250428115407-a04afffa-thumbnail.jpg?width=560&fit=bounds)
![Get & Download Wondershare Filmora Crack Latest [2025]](https://cdn.slidesharecdn.com/ss_thumbnails/revolutionizingresidentialwi-fi-250422112639-60fb726f-250429170801-59e1b240-thumbnail.jpg?width=560&fit=bounds)
Secret Management with Hashicorp Vault and Consul on Kubernetes
- 1. 1 Secret Management with Hashicorp Vault and Consul on Kubernetes
- 2. 2 Agenda What’s a secret? Secret management Hashicorp Vault Deployment topology Demo Q&A
- 3. 3 What is a secret? Anything is sensitive information • Database user, password • API keys • SSL keys • Encryption keys • Cloud credentials • Certificates • etc..
- 4. 4 Why secret management matters Moving fast of software development process and infrastructure Micro-services based architecture: service to service communication via tokens, API keys, certificates DevOps processes: multiple environments for development, testing, integration, and production Cloud native application and multi-cloud infrastructure: secrets for storage, compute, analytics, logging, etc..
- 5. 5 Traditional secret management (anti-patterns) Storing secrets: • Hard-coding • Clear text config files • SCM (git, svn) • Unencrypted file system (laptop, NFS) Distributed secrets: • Email • Slack • Shared folder
- 6. 6 Modern secret management Modern secret management properties: • Secrets are encrypted at rest • Centrally managed • Access control to secrets • Auditable • Scalable • Easy to integrate • High automation for creating, revoking, rotating secrets • Supported
- 7. 7 Hashicorp Vault Modern secret management application Secure secret storage (in-memory, Consul, file, and more) Programmatic application access (automated) Operator access (manual) Leasing, renewal, revocation Dynamic secrets Rich ALCs Multiple client authentication methods Auditing
- 8. 8 Vault Features Secure secret storage: • Data is encrypted in transit and at rest • TLS for clients • No HSM required • Support many storages: in-memory, Filesystem, Consul, DynamoDB, Etcd, MySQL, PostgreSQL, S3, Zookeeper, etc..
- 9. 9 Vault Features (cont.) Leasing, renewal, and revocation: • Every secret has a lease • Secrets are revoked at the end of the lease unless renewed • Secret may be revoked early by operators Auditing: • Pluggable audit backends • Request and response logging • Secrets hashed in audit log
- 10. 10 Vault Features (cont.) Dynamic credentials: • On-the-fly created credentials for each instance of an application or user • Usually short to medium TTL • Pluggable backends o Supported databases: MySQL, MariaDB, PostgreSQL, MSSQL, Oracle, MongoDB, Cassandra, Influxdb, etc... o Cloud: AWS, Google Cloud, Azure o SSH: one time password
- 11. 11 Vault Features (cont.) How does dynamic credential work?
- 12. 12 Vault Features (cont.) Support multiple auth backends • Token • LDAP • Username & password • AppRole • AWS • Google Cloud • Kubernetes • …
- 13. 13 Vault Features (cont.) Support multiple auth backends • Token • LDAP • Username & password • AppRole • AWS • Google Cloud • Kubernetes • …
- 14. 14 Vault Enterprise Features Feature Open source Pro Premium Control Groups X Multi-factor Authentication X Read Replicas (performance standby) X Disaster Recovery (DR replication) X X Replication (performance replication) X Replication Filters X Namespace X X Auto unseal (AWS, Google cloud, Azure) X X X
- 15. 15 Vault Enterprise Features (cont.) Performance standby node Handle GET requests of key/value secrets and other requests that do not change underlying storage
- 16. 16 Vault Enterprise Features (cont.) Disaster recovery replication (DR replication) Replicated content, consistent across Vault clusters • Secret configurations • Access control policies • Authentication methods • Audit configuration • Tokens • Leases
- 17. 17 Vault Enterprise Features (cont.) Performance replication Allowing Vault to scale relatively horizontally rather than vertically Secondaries keep track of their own tokens and leases If there is a request that modifiese underlying shared state, the secondary forwards the request to the primary to be handled; this is transparent to the client
- 18. 18 Vault Enterprise Features (cont.) Performance replication vs DR replication Capability DR Performance Mirrors the configuration of a primary cluster Yes Yes Mirrors the configuration of a primary cluster’s backends (i.e.: auth methods, secrets engines, audit devices, etc.) Yes Yes Mirrors the tokens and leases for applications and users interacting with the primary cluster Yes No Allows the secondary cluster to handle client requests No Yes
- 19. 19 Vault Enterprise Features (cont.)
- 20. 20 Understanding Seal and Unseal Seal state: • When a Vault server first boots • When a Vault server is started • Vault servers do not know how to decrypt data Unsealing is a process of constructing the master key (which is constructed by Shamir’s secret sharing algorithms) to read decryption key to decrypt data Unsealed state is remained until one of two thing below happens: • It is resealed via API • The server is restarted
- 21. 21 Deploy Vault on Kubernetes Consul cluster is to serve as the storage backend for Vault since it supports HA mode Only active pod replies to requests. Standby pods will redirect requests to the active one Leader election is done in storage backend Refer here for details
- 22. 22 Demo Scenario 1: Legacy applications that don’t run on Kubernetes Scenario 2: Legacy applications that run on Kubernetes Scenario 3: New applications that use static credentials Scenario 4: New applications that use dynamic credentials
- 23. 23 Scenario 1: Legacy applications that don’t run on k8s
- 24. 24 Scenario 1: Legacy applications that don’t run on k8s
- 25. 25 Scenario 1: Legacy applications that don’t run on k8s 1. Jenkins master triggers a new build 2. Jenkins slave pulls source code from SCM, does necessary steps to build software packages and push to Artifactory if needed 3. The slave authenticates to Vault and gets required secrets that need for deployment steps 4. Deployment server gets software packages from Jenkins master or Artifactory and secrets. Doing necessary steps to deploy application
- 26. 26 Scenario 2: Legacy applications that run on Kubernetes
- 27. 27 Scenario 3: New applications that use static credentials
- 28. 28 Scenario 4: New applications that use dynamic creds
- 29. 29 Q&A
Editor's Notes
- #8: Audit: who requested secrets for which system at what points of time
- #11: Dynamic passwords provide a bunch of benefits: - No need to write down, store, or share passwords - Enables very short lived passwords, less exposure if compromised - For distributed applications, every instance gets unique credentials - Constantly changing and expiring usernames/passwords are much harder to brute force - Automatic password rotation/expiration - Better audit trail
- #12: 1. Provide Vault credentials for an user that has permissions to create users or tokens in a remote system (e.g. database) 2. Configure Vault with setting on how to create credentials 3. Configure Vault with setting on how to invalid credentials in the remote system
- #15: https://www.hashicorp.com/products/vault/enterprise
- #17: https://www.vaultproject.io/docs/enterprise/replication/ https://learn.hashicorp.com/vault/day-one/ops-disaster-recovery
- #18: https://learn.hashicorp.com/vault/day-one/ops-replication
- #21: https://www.vaultproject.io/docs/concepts/seal.html
- #22: https://github.com/nthienan/vault-consul-k8s
- #25: AppRole is a secure introduction method to establish machine identity. In AppRole, in order for the application to get a token, it would need to login using a Role ID (which is static, and associated with a policy), and a Secret ID (which is dynamic, one time use, and can only be requested by a previously authenticated user/system.