Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Together: Consul + Vault

Rosemary Wang
June 22, 2022
Technology
1
180

Secure Together: Consul + Vault

Originally presented at HashiConf EU 2022.

How do you better secure service-to-service communication? In this session, you will learn the ways you can combine Consul and Vault to encrypt traffic between services, control API authorization, and implement least-privilege access across services. Dive into setting up Vault to manage certificates for Consul API Gateway and service mesh on Kubernetes, Consul-Terraform-Sync to automate Vault configuration, and Consul intentions and Vault secrets engines to control access to services.

Rosemary Wang

June 22, 2022
Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang
Secure Day 2 operations with Boundary and Vault
joatmon08
0
14
Can You Test Your Infrastructure as Code?
joatmon08
1
49
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
21
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
26
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
31
Break Glass, Repair Fast, Reconcile Automation
joatmon08
2
40
Building a Developer Platform? Ask these questions.
joatmon08
0
26
From Cloud-Hosted to Cloud-Native
joatmon08
0
50
Refactoring Applications for Dynamic Secrets
joatmon08
1
37

Other Decks in Technology

See All in Technology
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
5
49k
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.6k
サイバーエージェントにおける生成AIのリスキリング施策の取り組み / cyber-ai-reskilling
cyberagentdevelopers
PRO
2
200
日経電子版におけるリアルタイムレコメンドシステム開発の事例紹介/nikkei-realtime-recommender-system
yng87
1
500
生成AIの強みと弱みを理解して、生成AIがもたらすパワーをプロダクトの価値へ繋げるために実践したこと / advance-ai-generating
cyberagentdevelopers
PRO
1
180
WINTICKETアプリで実現した高可用性と高速リリースを支えるエコシステム / winticket-eco-system
cyberagentdevelopers
PRO
1
190
使えそうで使われないCloudHSM
maikamibayashi
0
170
GitHub Universe: Evaluating RAG apps in GitHub Actions
pamelafox
0
170
【若手エンジニア応援LT会】AWS Security Hubの活用に苦労した話
kazushi_ohata
0
170
Java x Spring Boot Warm up
kazu_kichi_67
2
490
ガチ勢によるPipeCD運用大全〜滑らかなCI/CDを添えて〜 / ai-pipecd-encyclopedia
cyberagentdevelopers
PRO
3
210
AWS CDKでデータリストアの運用、どのように設計する?~Aurora・EFSの実践事例を紹介~/aws-cdk-data-restore-aurora-efs
mhrtech
4
650

Featured

See All Featured
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
32
1.8k
Thoughts on Productivity
jonyablonski
67
4.3k
What's new in Ruby 2.0
geeforr
342
31k
Designing for Performance
lara
604
68k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.8k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
290
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Faster Mobile Websites
deanohume
304
30k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Typedesign – Prime Four
hannesfritz
39
2.4k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
14
1.9k
Optimising Largest Contentful Paint
csswizardry
33
2.9k

Transcript

  1. Your certificate has expired.

  2. A service’s address and credentials have changed.

  3. Your services are all failing.

  4. How do you 
 secure changing services and 
 improve

    their resilience?

  5. A service mesh secures service registration and communication.

  6. A secrets manager automates service identity and access.

  7. Secure service communication with mutual authentication. Automate service authentication and

    authorization.

  8. Benefits Add flexibility to certificates Automate secret generation Improve system

    resilience Reduce operational effort

  9. Note: Use integrated storage for Vault.

  10. Secure service communication with mTLS.

  11. Use Vault as a secrets backend for Consul.

  12. Secrets for Consul Operations •TLS Certificates for Agents •Tokens for

    Access Control Lists (ACLs) •Encryption Key for Gossip •Enterprise License •Agent Configuration for Snapshots

  13. Secrets for Service Mesh TLS Certificates for Service Mesh •Encrypt

    service-to-service communication •Enables mTLS for east-west traffic TLS Certificates for API Gateway •Encrypt communication to services in mesh •Enables TLS for north-south traffic

  14. A Tale of Two Vault Secrets Engines PKI •Generates certificates

    for Consul •Handles certificate expiration automatically Key-Value Version 2 •Stores and secures static secret •Rotate secret → update Consul manually
  15. None

  16. Consul 
 Agent Offline Root CA PKI Secrets Engine /consul/server/pki

    /consul/server/pki_int Vault Agent Sidecar
  17. None

  18. Consul 
 Service Mesh CA Offline Root CA PKI Secrets

    Engine /consul/connect/pki /consul/connect/pki_int

  19. Root CA (Offline Key) Intermediate CA (Level 1) Intermediate CA

    (Level 2) Intermediate CA (Level 3)
  20. None

  21. Consul 
 API Gateway Offline Root CA PKI Secrets Engine

    /consul/gateway/pki /consul/gateway/pki_int Vault CSI Provider Kubernetes Secret
  22. None

  23. Automate service authentication & authorization.

  24. Database 
 (Previous) Application Database 
 (New) Username & Password

    New Username & Password

  25. Use Consul-Terraform-Sync to update secrets engine in Vault each time

    service changes.

  26. Database Secrets Engine Role Policy Kubernetes Auth Method Consul-Terraform-Sync Consul-Terraform-Sync

    Database 
 (External Service) Application
  27. None

  28. Secure Together Certificates, ACL Tokens Service Identity, Intentions

  29. Your certificate has been rotated.

  30. A service’s address and credentials have been updated.

  31. Your services are still working.

  32. Learn More Learn more about Vault + Consul at consul.io/docs/k8s/installation/vault

    Code at 
 github.com/joatmon08/hashicorp-stack- demoapp