Escrow:

How to share secerts

Kyle Rockman  -  @Rocktavious

Why

Today, I'm going to show you...

 

How we made sharing configuration and secrets easier

for everyone at our organization.

Who am I

Kyle Rockman

Infrastructure Team @ Under Armour Connected Fitness


Develop & Support Internal

PaaS systems for our Developers


Github, Twitter - @Rocktavious

Agenda

Under Armour Connected Fitness

Principles & Problems

High-level concepts of shareable, tiered key-values

Overview of our solution - Escrow

Usage/Examples

Under Armour Connected Fitness

Empower UA engineers to frictionlessly deliver excellent software experiences directly to our consumers.

  • Make the powerful simple.
  • Make teammates more effective.
  • Things will break; never let them break the same way twice.
  • Iteratively create the platform in the open.
  • Data is sacred - PTH.

Principles & Problems

The Problem ...

Empower any engineering team to manage their configuration data and share it with others easily!

Principles & Problems

  • Self-Service
  • Protection of configuration data
    but still foster sharing
  • ACL on configuration data
  • API first - Allows for integrations
  • Updating configuration data across multiple services
  • Integration with any platform - even future ones

Principles & Problems

Solutions?

  • Stored as a text file on some server
  • Configuration management tools (salt, chef, puppet)
  • Baked into the Container
  • Kubernetes configmaps/secrets
  • Escrow

Old-French: Escroe

a bond, deed, or other document kept in the custody of a third party, taking effect only when a specified condition has been fulfilled.

Escrow

Concepts

Chain - An ordered collection of links

Link - An individual piece of 'key=value' data that can be shared

Escrow Chains

Concepts

  • Foo=Bar
  • Baz=Zaz
  • Baz=Zab
  • Foo=Mars
  • Car=2

It's just variables!
(with a hierarchy)

=

  • Foo=Mars
  • Baz=Zab
  • Car=2

* Conflict resolution is
left -> right
rightmost link wins

---------------------------- Resulting Chain Data ----------------------------

Concepts

Break data down into little pieces to maximise reuse and shareability

Editing data of link A affects both Chain A & B

Concepts

Group: restricts edit-ableness
 

Private: restricts reusability for others not in the group

Link:

Group: restricts edit-ableness of the link adding and ordering them in a chain
 

Chain:

Concepts

A

Infrastructure

B

UARun

User B

- edit link C

- see the data in link A

User A

- organize this chain

- edit 2 links

Concepts

Sharing a link could have unintended effects on other chains!!!

Solution: Key Value's as an Artifact

Rendering a chain generates an immutable artifact of the rendered chain at that point in time
Future changes to the links of that chain will not affect it

But single place to change data makes updating easy

Concepts

Escrow Chains
becomes a tool to compose key value data

Escrow Artifacts
are an immutable chunk of data that can be reused anywhere

Concepts

Privacy Concerns

A user can only render a chain if they pass all privacy checks for every link in that chain

Rendering:

Concepts

A

Infrastructure

B

UARun

Only User A is allowed to create artifacts from this chain

Concepts

A

Infrastructure

B

UARun

If user A renders the chain and gives the artifact ID to user B; user B still cannot use the artifact

Once an Escrow Artifact is created from a rendered chain

The privacy checks still hold

->

Concepts

This ID is generated from the final contents of the key value data, the name of the chain, and a commit message when rendering

An Artifact is identified by an ID

2cf24dba5fb0a30e26e8

API Primer

/artifact/{ID}/rendered?style=default

{
    "FOO": {
        "source": "test",
        "group": "devs",
        "value": "1",
        "private": false
    },
    "BAR": {
        "source": "test2",
        "group": "admins",
        "value": "2",
        "private": true
    }
}

API Primer

/artifact/{ID}/rendered?style=string

FOO=1\nBAR=2

API Primer

Jenkinsfile Syntax

import groovy.json.JsonSlurper

@NonCPS
def get_escrow(escrow_id){
    String username = System.getenv("ADMIN_USERNAME")
    String password = System.getenv("ADMIN_PASSWORD")
    String basic = username + ":" + password
    String auth = basic.bytes.encodeBase64().toString()
    String location = "https://example.com/api/escrow/artifact/" + escrow_id + "/rendered/"
    def conn = location.toURL().openConnection()
    conn.setRequestProperty( "Accept", "application/json" )
    conn.setRequestProperty( "Authorization", "Basic ${auth}" )
    def output = []
    new JsonSlurper().parseText(conn.content.text).each {
        output << it.key + "=" + it.value.value
    }
    return output
}

def call(escrow_id, body) {
    withEnv(get_escrow(escrow_id)) {
        body()
    }
}

API Primer

  
node('docker'){
    withUACFEnv('b04196426111d0f182a8'){
        sh 'env'
    }
}

Jenkinsfile Syntax

Bootstrapping

  • Javascript React + Redux frontend
  • Gunicorn + Django Rest Framework backend
  • Bring you own relational datastore
    • MySQL / Postgres / AWS RDS
  • Cache layer for transient output
    • Memcached / Redis / Elasticache

Questions

@Rocktavious

We are hoping to opensource the tool in the coming months
https://github.com/underarmour/

https://slides.com/rocktavious/estate/

Escrow: How to share secerts

By Kyle Rockman

Made with Slides.com

Escrow: How to share secerts

  • 1,186

More from Kyle Rockman