Autoconfiguration of Consul Clients

Hans Hasselberg twitter.com/hanshasselberg

Running Consul • Running Consul securely is hard • Focus
on Consul client configuration related to security • https://learn.hashicorp.com/consul

Running Consul without any security // config.json { "data_dir": "./data",
"bind_addr": "192.168.1.239", "advertise_addr": "192.168.1.239", "retry_join": "192.168.1.1" }

Running Consul with gossip encryption // config.json { "data_dir": "./data",
"bind_addr": "192.168.1.239", "advertise_addr": "192.168.1.239", "retry_join": "192.168.1.1", "encrypt": "f3htvkx3YdoXrODa/NEQRn0TY09tj13iiy+PeJJ8nFk=" }

Running Consul with gossip encryption and TLS // config.json {
"data_dir": "./data", "bind_addr": "192.168.1.239", "advertise_addr": "192.168.1.239", "retry_join": "192.168.1.1", "encrypt": "f3htvkx3YdoXrODa/NEQRn0TY09tj13iiy+PeJJ8nFk=", "verify_outgoing": true, "verify_server_hostname": true, "ca_file": "./consul-agent-ca.pem", "cert_file": "./dc1-client-consul-0.pem", "key_file": "./dc1-client-consul-0.pem.pem" }

Running Consul with gossip encryption, TLS and ACLs // config.json
{ "data_dir": "./data", "bind_addr": "192.168.1.239", "advertise_addr": "192.168.1.239", "retry_join": "192.168.1.1", "encrypt": "f3htvkx3YdoXrODa/NEQRn0TY09tj13iiy+PeJJ8nFk=", "verify_outgoing": true, "verify_server_hostname": true, "ca_file": "./consul-agent-ca.pem", "cert_file": "./dc1-client-consul-0.pem", "key_file": "./dc1-client-consul-0.pem.pem", "acl": { "enabled": true, "tokens": { "agent": "fe31ce76-9bbf-dd55-c749-1df6224ff1d3" } } }

The End? • 👏 great that you got that far,
that was not easy • 🔐 your Consul cluster is pretty secure • 🤔 BUT: • your gossip key is stored securely for provisioning new clients • when you rotate your gossip key, new clients get the new key • your client certificate pair is stored securely as well and it has a sensible expiration date. • you rotate your client certificate • you can rotate your CA • your ACL agent has the least amount of privileges • your management token, which is used to create the above, is stored securely • 😱 At $lastjob I never rotated the gossip key, never rotated the client certs, and didn’t enable ACLs.

AutoConfig • https://www.consul.io/docs/agent/options#auto_config • When starting up but before joining
the cluster, the client agent will make an RPC to the configured server addresses to request configuration settings, such as its agent ACL token, TLS certificates, Gossip encryption key as well as other configuration settings.

AutoConfig with every security feature enabled // config.json { "data_dir":
"./data", "bind_addr": "192.168.1.239", "advertise_addr": "192.168.1.239", "ca_file": "./consul-agent-ca.pem", "auto_config": { "enabled" : true, "server_addresses": ["192.168.1.1"], "intro_token": “eyJhbGciOiJFUzI1N…” } }

AutoConfig // config.json { "data_dir": "./data", "bind_addr": "192.168.1.239", "advertise_addr": "192.168.1.239",
"ca_file": "./consul-agent-ca.pem", "auto_config": { "enabled" : true, "server_addresses": ["192.168.1.1"], "intro_token": “eyJhbGciOiJFUzI1N…” } } // config.json { "data_dir": "./data", "bind_addr": "192.168.1.239", "advertise_addr": "192.168.1.239", "retry_join": "192.168.1.1", "encrypt": "f3htvkx3YdoXrODa/ NEQRn0TY09tj13iiy+PeJJ8nFk=", "verify_outgoing": true, "verify_server_hostname": true, "ca_file": "./consul-agent-ca.pem", "cert_file": "./dc1-client-consul-0.pem", "key_file": "./dc1-client-consul-0.pem.pem", "acl": { "enabled": true, "tokens": { "agent": "fe31ce76-9bbf-dd55- c749-1df6224ff1d3" } } }

AutoConfig • what is an intro_token? • where are the
client certificates coming from? • what is Connect?

AutoConfig server config { "auto_config": { "authorization": { "enabled": true,
"static": { "jwt_validation_pub_keys": ["-----BEGIN CERTIFICATE-----\nMIICmz"], "bound_issuer": "auto-config-cluster", "bound_audiences": ["audience"], "claim_mappings": { "sub": "node" }, "claim_assertions": [ "value.node == \"${node}\"" ] } } } }

Autoconfiguration of Consul Clients

Autoconfiguration of Consul Clients

Hans Hasselberg

More Decks by Hans Hasselberg

Other Decks in Programming

Featured

Transcript

Autoconfiguration of Consul Clients

Hans Hasselberg twitter.com/hanshasselberg

Running Consul • Running Consul securely is hard • Focus

Running Consul without any security // config.json { "data_dir": "./data",

Running Consul with gossip encryption // config.json { "data_dir": "./data",

Running Consul with gossip encryption and TLS // config.json {

Running Consul with gossip encryption, TLS and ACLs // config.json

The End? • 👏 great that you got that far,

AutoConfig • https://www.consul.io/docs/agent/options#auto_config • When starting up but before joining

AutoConfig with every security feature enabled // config.json { "data_dir":

AutoConfig // config.json { "data_dir": "./data", "bind_addr": "192.168.1.239", "advertise_addr": "192.168.1.239",

AutoConfig • what is an intro_token? • where are the

AutoConfig server config { "auto_config": { "authorization": { "enabled": true,

Q&A