Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Together: Consul + Vault

Rosemary Wang
June 22, 2022
Technology
1
180

Secure Together: Consul + Vault

Originally presented at HashiConf EU 2022.

How do you better secure service-to-service communication? In this session, you will learn the ways you can combine Consul and Vault to encrypt traffic between services, control API authorization, and implement least-privilege access across services. Dive into setting up Vault to manage certificates for Consul API Gateway and service mesh on Kubernetes, Consul-Terraform-Sync to automate Vault configuration, and Consul intentions and Vault secrets engines to control access to services.

Rosemary Wang

June 22, 2022
Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang
Secure Day 2 operations with Boundary and Vault
joatmon08
0
15
Can You Test Your Infrastructure as Code?
joatmon08
1
51
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
21
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
26
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
31
Break Glass, Repair Fast, Reconcile Automation
joatmon08
2
40
Building a Developer Platform? Ask these questions.
joatmon08
0
27
From Cloud-Hosted to Cloud-Native
joatmon08
0
53
Refactoring Applications for Dynamic Secrets
joatmon08
1
37

Other Decks in Technology

See All in Technology
マルチモーダル / AI Agent / LLMOps 3つの技術トレンドで理解するLLMの今後の展望
hirosatogamo
37
12k
SREによる隣接領域への越境とその先の信頼性
shonansurvivors
2
520
データプロダクトの定義からはじめる、データコントラクト駆動なデータ基盤
chanyou0311
2
310
適材適所の技術選定 〜GraphQL・REST API・tRPC〜 / Optimal Technology Selection
kakehashi
1
460
スクラムチームを立ち上げる〜チーム開発で得られたもの・得られなかったもの〜
ohnoeight
2
350
iOS/Androidで同じUI体験をネ イティブで作成する際に気をつ けたい落とし穴
fumiyasac0921
1
110
100 名超が参加した日経グループ横断の競技型 AWS 学習イベント「Nikkei Group AWS GameDay」の紹介/mediajaws202411
nikkei_engineer_recruiting
1
170
マルチプロダクトな開発組織で 「開発生産性」に向き合うために試みたこと / Improving Multi-Product Dev Productivity
sugamasao
1
310
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
590
生成AIが変えるデータ分析の全体像
ishikawa_satoru
0
130
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
6
640
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
4
1.4k

Featured

See All Featured
Faster Mobile Websites
deanohume
305
30k
Raft: Consensus for Rubyists
vanstee
136
6.6k
A Philosophy of Restraint
colly
203
16k
Done Done
chrislema
181
16k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
Fashionably flexible responsive web design (full day workshop)
malarkey
405
65k
Embracing the Ebb and Flow
colly
84
4.5k
How to train your dragon (web standard)
notwaldorf
88
5.7k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k

Transcript

  1. Your certificate has expired.

  2. A service’s address and credentials have changed.

  3. Your services are all failing.

  4. How do you 
 secure changing services and 
 improve

    their resilience?

  5. A service mesh secures service registration and communication.

  6. A secrets manager automates service identity and access.

  7. Secure service communication with mutual authentication. Automate service authentication and

    authorization.

  8. Benefits Add flexibility to certificates Automate secret generation Improve system

    resilience Reduce operational effort

  9. Note: Use integrated storage for Vault.

  10. Secure service communication with mTLS.

  11. Use Vault as a secrets backend for Consul.

  12. Secrets for Consul Operations •TLS Certificates for Agents •Tokens for

    Access Control Lists (ACLs) •Encryption Key for Gossip •Enterprise License •Agent Configuration for Snapshots

  13. Secrets for Service Mesh TLS Certificates for Service Mesh •Encrypt

    service-to-service communication •Enables mTLS for east-west traffic TLS Certificates for API Gateway •Encrypt communication to services in mesh •Enables TLS for north-south traffic

  14. A Tale of Two Vault Secrets Engines PKI •Generates certificates

    for Consul •Handles certificate expiration automatically Key-Value Version 2 •Stores and secures static secret •Rotate secret → update Consul manually
  15. None

  16. Consul 
 Agent Offline Root CA PKI Secrets Engine /consul/server/pki

    /consul/server/pki_int Vault Agent Sidecar
  17. None

  18. Consul 
 Service Mesh CA Offline Root CA PKI Secrets

    Engine /consul/connect/pki /consul/connect/pki_int

  19. Root CA (Offline Key) Intermediate CA (Level 1) Intermediate CA

    (Level 2) Intermediate CA (Level 3)
  20. None

  21. Consul 
 API Gateway Offline Root CA PKI Secrets Engine

    /consul/gateway/pki /consul/gateway/pki_int Vault CSI Provider Kubernetes Secret
  22. None

  23. Automate service authentication & authorization.

  24. Database 
 (Previous) Application Database 
 (New) Username & Password

    New Username & Password

  25. Use Consul-Terraform-Sync to update secrets engine in Vault each time

    service changes.

  26. Database Secrets Engine Role Policy Kubernetes Auth Method Consul-Terraform-Sync Consul-Terraform-Sync

    Database 
 (External Service) Application
  27. None

  28. Secure Together Certificates, ACL Tokens Service Identity, Intentions

  29. Your certificate has been rotated.

  30. A service’s address and credentials have been updated.

  31. Your services are still working.

  32. Learn More Learn more about Vault + Consul at consul.io/docs/k8s/installation/vault

    Code at 
 github.com/joatmon08/hashicorp-stack- demoapp