consul & vault

life cycle of

configs and secrets

 

consul.io

kv storage

service discovery
acl

health checking

3-5 servers per DC

agent on each node for service/node health checking

 

Raft consensus algorithm for consistency

multi DC ready

 

acl_default_policy

allow, deny

 

 

acl_datacenter

 

only one DC is authoritative for ACL information

use acl_down_policy on outage

 

 

acl_down_policy

extend-cache, allow, deny

 

default is to ignore cache TTLs for any previously resolved tokens and to deny any uncached tokens

 

 

config mgmt tools

 

git2consul

fsconsul

{
  "version": "1.0",
  "repos" : [{
    "name" : "var-server",
    "mountpoint": "company",
    "url" : "git@bitbucket.org:company/var-server.git",
    "branches" : ["master"],
    "hooks": [{
      "type" : "polling",
      "interval" : "1"
    }]
  }]
}

git2consul – populate consul

{
    "consul" : {
        "addr": "127.0.0.1:8500"
        "dc": "dc1",
        "token" : "my-reader-token"
    },
    "mappings" : [{
        "onchange": "service restart app1",
        "prefix": "/myteam/dev/app1/config/",
        "path": "/etc/app1/",
        "keystore": "/var/lib/encryption_keys"
    },{
        "onchange": "service restart app2",
        "prefix": "/myteam/dev/app2/config/",
        "path": "/etc/app2/",
        "keystore": "/var/app2/encryption_keys"
    }]
}

fsconsul – propagate to clients

vaultproject.io

 

secret backends

auth backends

audit backends

vault is encrypted with master key

 

Shamir's Secret Sharing – (k,n) threshold scheme

anyone with root key can seal storage, k participants needed to unseal

 

optional PGP Encryption for Unseal Keys

lease, renew, and revoke

 

lease for every secret and token: ttl, renewability

quickly revoke whole tree on intrusion

$ vault revoke -prefix aws/

Secret Backends

 

Secret backends are the components in Vault which store and generate secrets

 

generic, aws, consul, cubbyhole, ssh

 

generic

# Policy

path "sys/*" {
  policy = "deny"
}

path "secret/*" {
  policy = "write"
}

path "secret/super-secret" {
  policy = "deny"
}


$ vault write secret/password value=itsasecret

$ vault read secret/password
Key             Value
lease_id        secret/password/76c844fb-aeba-a766-0a50-2b907072233a
lease_duration  2592000
value           itsasecret

ssh + helper

$ vault write ssh/roles/otp_key_role \
    key_type=otp \
    default_user=username \
    cidr_list=x.x.x.x/y,m.m.m.m/n
Success! Data written to: ssh/roles/otp_key_role

$ vault write ssh/creds/otp_key_role ip=x.x.x.x
Key             Value
lease_id        ssh/creds/otp_key_role/73bbf513-9606-4bec-816c-5a2f009765a5
lease_duration  600
lease_renewable false
port            22
username        username
ip              x.x.x.x
key             2f7e25a2-24c9-4b7b-0d35-27d5e5203a5c
key_type        otp

$ vault ssh -role otp_key_role username@x.x.x.x
OTP for the session is `b4d47e1b-4879-5f4e-ce5c-7988d7986f37`
[Note: Install `sshpass` to automate typing in OTP]
Password: <Enter OTP>
Made with Slides.com