Kyle Rockman
Lead Infrastructure Engineer OpsLevel.com
Today, I'm going to show you...
Infrastructure Team @ Under Armour Connected Fitness
Develop & suppport internal PaaS systems for all of you
Kyle Rockman
Principles & Problems
Overview of the Solution
Live Demo
Recap / Conclusion / Questions
The Problem...
Single source of secrets storage
ACL's
Ability to dynamically provision secrets for things
UI & Programmatic access
Audit-ability
Latin: Volvere
to roll;
a large room or chamber used for storage, especially and underground one.
- Everything in vault is a PATH
- Key/Value data exists at a PATH
- Policies apply capabilities (permissions) to a PATH
path "secret/fs/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "database/fs/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
...
vault write sys/policy/fs policy=@./policy.hcl
LDAP (Username + Password)
Kubernetes (Service Account)
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: challenges
namespace: run-prod
spec:
template:
spec:
...
containers:
...
command:
- "/vault/bin/shim.sh"
- "/uacf/src/python/httpserver/httpserver.sh"
volumeMounts:
- name: secrets-config
mountPath: /vault/secrets
- name: vault-tools
mountPath: /vault/bin
volumes:
- name: secrets-config
configMap:
name: challenges
- name: vault-tools
configMap:
name: vault-shim
defaultMode: 0755
apiVersion: v1
kind: ConfigMap
metadata:
name: challenges
namespace: run-prod
data:
config.hcl: |
secret {
no_prefix = true
path = "secret/infra/service/prod"
}
secret {
no_prefix = true
path = "aws/run/creds/route-53"
format = "AWS_{{ key }}"
}
function generate_post_data()
{
cat <<EOF
{"jwt": "$KUBE_TOKEN", "role": "$KUBE_SERVICEACCOUNT_NAME"}
EOF
}
export VAULT_ADDR=https://vault.uacf.io:443
export KUBE_TOKEN=$(</var/run/secrets/kubernetes.io/serviceaccount/token)
export KUBE_SERVICEACCOUNT_NAME=$(decode_jwt 2 $KUBE_TOKEN | jq -r '."kubernetes.io/serviceaccount/service-account.name"')
export VAULT_RESPONSE=$(curl -s -X POST -d "$(generate_post_data)" ${VAULT_ADDR}/v1/auth/k8s/us/green/login)
export VAULT_TOKEN=$(echo $VAULT_RESPONSE | jq -r '.auth.client_token')
envconsul -config="/vault/secrets/config.hcl" -sanitize -upcase $@
Heres the Magic!!!
Key = Value - V1
Key = Value - V2 (versioned)
vault write secret/infra/my_service/prod/hello value=world foo=bar
vault read secret/infra/my_service/prod/hello
Key Value
--- -----
refresh_interval 168h
value world
foo bar
...
vault write secret/infra/my_service/prod/hello hello=world foo=bar
vault read secret/infra/my_service/prod/hello
Key Value
--- -----
refresh_interval 168h
hello world
foo bar
AWS IAM/STS
Google Cloud IAM
Database User/Pass (mysql, postgres, mongo, etc)
RabbitMQ User/Pass
We want vault configuration to be as turnkey as possible
So we created an automated process for it
https://code.uacf.io/projects/INFRA/repos/vault-configuration/browse
Merge to Master == Vault Configured
Thank you to everyone who beta tested this out!!!!
Use Case: Privacy and Consent Services
Use Case: Training Plans Service
The Good:
The Bad/Ugly:
https://slides.com/rocktavious/vault/
Thanks!
By Kyle Rockman
Using Vault at Under Armour Connected Fitness.