Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CodeMesh 2015 : Boot my (secure)->(portable) cl...

Nicki Watt
November 04, 2015

CodeMesh 2015 : Boot my (secure)->(portable) clouds!

Slides to accompany my talk done at Code Mesh 2015. http://www.codemesh.io/codemesh2015/nicki-watt.

Associated video can be found here: https://www.youtube.com/watch?v=bRZSftRVoAQ

Nicki Watt

November 04, 2015
Tweet

More Decks by Nicki Watt

Other Decks in Technology

Transcript

  1. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 40 Declarative DSL (AWS) ## OpenVPN Compute instance

    resource "aws_instance" "ovpn" { ami = "${var.ami_name}" instance_type = "${var.openvpn-instance-type}" vpc_security_group_ids = [ "${aws_security_group.ovpn.id}"] subnet_id = “${aws_subnet.dmz.id}" ... } ## DMZ network exposing Public IP resource "aws_subnet" "dmz" { vpc_id = "${aws_vpc.core.id}" cidr_block = "${var.dmz-net-cidr}" map_public_ip_on_launch = 1 ... } terraform.tf
  2. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 46 ## OpenVPN Compute instance resource "openstack_compute_instance_v2" "ovpn"

    { name = "${var.env-prefix}-ovpn" image_name = "${var.image_name}" flavor_name = "${var.openvpn-flavour-name}" floating_ip = “${openstack_compute_floatingip_v2. openvpn.address}" ... } variable "env-prefix" { default = "team1" } variable "image-name" { default = "centos-7-001" } variable "openvpn-flavour-name" { default = "x1.medium" } terraform.tf terraform.tfvars Vars & inter resource refs
  3. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 65 Example (user-data) cloud config #cloud-config hostname: ${env-prefix}-jm

    fqdn: ${env-prefix}-jm.${domain} manage_etc_hosts: true puppet: conf: agent: server: "${env-prefix}-ipa.${domain}" runcmd: - until curl -ksf https://${env-prefix}-ipa.${domain}:443/ca/ admin/ca/getStatus ; do sleep 30 ; done ; ipa-client-install — domain=${domain} ... --unattended --force-join - export COUNT=0 ; until puppet agent -t ; do echo "`date` - Attempting to run puppet agent for $COUNT time" ; if [[ $COUNT -eq 3 ]] ; then break ; fi ; sleep 30 ; ((COUNT++)) ; done
  4. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 66 #cloud-config hostname: ${env-prefix}-jm fqdn: ${env-prefix}-jm.${domain} manage_etc_hosts: true

    puppet: conf: agent: server: "${env-prefix}-ipa.${domain}" runcmd: - until curl -ksf https://${env-prefix}-ipa.${domain}:443/ca/ admin/ca/getStatus ; do sleep 30 ; done ; ipa-client-install — domain=${domain} ... --unattended --force-join - export COUNT=0 ; until puppet agent -t ; do echo "`date` - Attempting to run puppet agent for $COUNT time" ; if [[ $COUNT -eq 3 ]] ; then break ; fi ; sleep 30 ; ((COUNT++)) ; done Example (user-data) cloud config
  5. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 67 #cloud-config hostname: ${env-prefix}-jm fqdn: ${env-prefix}-jm.${domain} manage_etc_hosts: true

    puppet: conf: agent: server: "${env-prefix}-ipa.${domain}" runcmd: - until curl -ksf https://${env-prefix}-ipa.${domain}:443/ca/ admin/ca/getStatus ; do sleep 30 ; done ; ipa-client-install — domain=${domain} ... --unattended --force-join - export COUNT=0 ; until puppet agent -t ; do echo "`date` - Attempting to run puppet agent for $COUNT time" ; if [[ $COUNT -eq 3 ]] ; then break ; fi ; sleep 30 ; ((COUNT++)) ; done Example (user-data) cloud config
  6. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 68 #cloud-config hostname: ${env-prefix}-jm fqdn: ${env-prefix}-jm.${domain} manage_etc_hosts: true

    puppet: conf: agent: server: "${env-prefix}-ipa.${domain}" runcmd: - until curl -ksf https://${env-prefix}-ipa.${domain}:443/ca/ admin/ca/getStatus ; do sleep 30 ; done ; ipa-client-install — domain=${domain} ... --unattended --force-join - export COUNT=0 ; until puppet agent -t ; do echo "`date` - Attempting to run puppet agent for $COUNT time" ; if [[ $COUNT -eq 3 ]] ; then break ; fi ; sleep 30 ; ((COUNT++)) ; done Example (user-data) cloud config
  7. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 69 #cloud-config hostname: ${env-prefix}-jm fqdn: ${env-prefix}-jm.${domain} manage_etc_hosts: true

    puppet: conf: agent: server: "${env-prefix}-ipa.${domain}" runcmd: - until curl -ksf https://${env-prefix}-ipa.${domain}:443/ca/ admin/ca/getStatus ; do sleep 30 ; done ; ipa-client-install — domain=${domain} ... --unattended --force-join - export COUNT=0 ; until puppet agent -t ; do echo "`date` - Attempting to run puppet agent for $COUNT time" ; if [[ $COUNT -eq 3 ]] ; then break ; fi ; sleep 30 ; ((COUNT++)) ; done Example (user-data) cloud config
  8. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ## OpenVPN Compute instance resource "openstack_compute_instance_v2" "jm" {

    name = "${var.env-prefix}-jm" image_name = "${var.image_name}" flavor_name = "${var.jm-flavour-name}" user_data = "${template_file.clientconfig.rendered}" ... } ## UserData as input to cloud-init resource "template_file" "clientconfig" { filename = "${path.module}/clientconfig.template" vars { domain = "${var.domain}" env-prefix = "${var.env-prefix}" ... } } 70 Passing user-data via terraform
  9. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 71 ## OpenVPN Compute instance resource "openstack_compute_instance_v2" "jm"

    { name = "${var.env-prefix}-jm" image_name = "${var.image_name}" flavor_name = "${var.jm-flavour-name}" user_data = "${template_file.clientconfig.rendered}" ... } ## UserData as input to cloud-init resource "template_file" "clientconfig" { filename = "${path.module}/clientconfig.template" vars { domain = "${var.domain}" env-prefix = "${var.env-prefix}" ... } } Passing user-data via terraform
  10. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 92 $ vault init -key-shares=3 -key-threshold=2 Key 1:

    8573410dd211cc9b5ea6b426b19d6d668e0184c39d4ba Key 2: 3fd762583cc9755222fa20f2a78770aca5ecba3b16d8c Key 3: a0428a6b6681eb15ffcea5be5c787beabcb7599a6fa91 Initial Root Token: 57dfce17-08c4-d042-91a3-68082965367b Vault initialized with 3 keys and a key threshold of 2. Please securely distribute the above keys. When the Vault is re-sealed, restarted, or stopped, you must provide at least 2 of these keys to unseal it again. Vault does not store the master key. Without at least 2 keys, your Vault will remain permanently sealed. $ vault unseal 8573410dd211cc9b5ea6b426b19d6d668e0184c39d4ba Sealed: true Key Shares: 3 Key Threshold: 2 Unseal Progress: 1 $ vault unseal a0428a6b6681eb15ffcea5be5c787beabcb7599a6fa91 Sealed: false Key Shares: 3 Key Threshold: 2 Unseal Progress: 0 Vault init & unseal
  11. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- $ vault unseal 8573410dd211cc9b5ea6b426b19d6d668e0184c39d4ba Sealed: true Key Shares:

    3 Key Threshold: 2 Unseal Progress: 1 $ vault unseal a0428a6b6681eb15ffcea5be5c787beabcb7599a6fa91 Sealed: false Key Shares: 3 Key Threshold: 2 Unseal Progress: 0 $ vault init -key-shares=3 -key-threshold=2 Key 1: 8573410dd211cc9b5ea6b426b19d6d668e0184c39d4ba Key 2: 3fd762583cc9755222fa20f2a78770aca5ecba3b16d8c Key 3: a0428a6b6681eb15ffcea5be5c787beabcb7599a6fa91 Initial Root Token: 57dfce17-08c4-d042-91a3-68082965367b Vault initialized with 3 keys and a key threshold of 2. Please securely distribute the above keys. When the Vault is re-sealed, restarted, or stopped, you must provide at least 2 of these keys to unseal it again. Vault does not store the master key. Without at least 2 keys, your Vault will remain permanently sealed. 93 Vault init & unseal
  12. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- $ vault init -key-shares=3 -key-threshold=2 Key 1: 8573410dd211cc9b5ea6b426b19d6d668e0184c39d4ba

    Key 2: 3fd762583cc9755222fa20f2a78770aca5ecba3b16d8c Key 3: a0428a6b6681eb15ffcea5be5c787beabcb7599a6fa91 Initial Root Token: 57dfce17-08c4-d042-91a3-68082965367b Vault initialized with 3 keys and a key threshold of 2. Please securely distribute the above keys. When the Vault is re-sealed, restarted, or stopped, you must provide at least 2 of these keys to unseal it again. Vault does not store the master key. Without at least 2 keys, your Vault will remain permanently sealed. $ vault unseal 8573410dd211cc9b5ea6b426b19d6d668e0184c39d4ba Sealed: true Key Shares: 3 Key Threshold: 2 Unseal Progress: 1 $ vault unseal a0428a6b6681eb15ffcea5be5c787beabcb7599a6fa91 Sealed: false Key Shares: 3 Key Threshold: 2 Unseal Progress: 0 94 Vault init & unseal
  13. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 100 $ vault token-create -policy="team1-bootstrap" Key Value token

    4a1cd43a-9206-9f48-caf8-b05e05457271 token_duration 2592000 token_renewable true token_policies [team1-bootstrap] $ vault auth 4a1cd43a-9206-9f48-caf8-b05e05457271 Successfully authenticated! token: 4a1cd43a-9206-9f48-caf8-b05e05457271 token_duration: 2592000 token_policies: [team1-bootstrap] $ vault read team1/cloud-provider-password Key Value lease_duration 2592000 value ASDKJ234SF*2 $ vault write team1/somekey value=somevalue Error writing data to team1/somekey: Error making API request. URL: PUT http://127.0.0.1:8200/v1/team1/somekey Code: 403. Errors: * permission denied Vault validate custom policy