Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Managing Secrets at Scale with Vault Christoph Strobl Pivotal Software, Inc. @stroblchristoph #devone
Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Apache TomEE Encryption to the Rescue 3 <Resource id="MySQL Database" type="DataSource"> JdbcDriver com.mysql.jdbc.Driver JdbcUrl jdbc:mysql:!//localhost/test UserName test Password Passw0rd !</Resource>
Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Apache TomEE Encryption to the Rescue 4 <Resource id="MySQL Database" type="DataSource"> JdbcDriver com.mysql.jdbc.Driver JdbcUrl jdbc:mysql:!//localhost/test UserName test Password xMH5uM1V9vQzVUv5LG7YLA!== PasswordCipher Static3DES !</Resource>
Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Symmetric vs. Asymmetric 5
Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 6 https://www.flickr.com/photos/dahlstroms/4188244058
Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 11 • Secret Storage • Tokens & ACL • Dynamic Secrets • Leasing and renewal • Key Rolling • Audit Logs • Hardware Security Modules • 24x7 Support Community Enterprise
Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started – Write & Read Secrets 14 $ vault write secret/devone value=awesome vault read secret/devone Success! Data written to: secret/devone $ Key Value lease_duration 2592000 value awesome $
Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Getting Started – Seal Vault 16 $ vault seal vault read secret/devone Vault is now sealed. $ Error reading secret/devone: Error making API request. URL: GET :49222/v1/secret/devone Code: 503. Errors: * Vault is sealed $
Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud In General 19 Service Discovery Circuit Breakers Routing & Messaging Ci Pipelines Tracing API Gateway Configuration
Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud 20 Configuration Config Server
Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud 21 Service Discovery Service Reg. Consumer Producer Connect
Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud... • Circuit Breakers withNetflix Hystrix. • Messaging using RabbitMQ or Apache Kafka. • Tracing with Spring Cloud Sleuth & Zipkin. • Spring Cloud Bus • Spring Cloud Stream (pre. Dataflow) • Spring Cloud Task • Spring Cloud AWS • … and many more! 22
Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Vault 23 Token / Auth
Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Vault with different Backends. 30 src/main/resources/bootstrap.properties spring.application.name=spring-devone-app spring.cloud.vault.token=eb5229d6-9858-d494-a1d7-820!!... spring.cloud.vault.mysql.enabled=true spring.cloud.vault.mysql.role=readonly spring.datasource.url=jdbc:mysql:!//localhost:3306
Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 31 Spring Framework 5 RC1 Spring Boot 2 M1 Check out the latest releases!