Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Autoconfiguration of Consul Clients

Autoconfiguration of Consul Clients

Hans Hasselberg

July 26, 2021
Tweet

More Decks by Hans Hasselberg

Other Decks in Programming

Transcript

  1. Running Consul • Running Consul securely is hard • Focus

    on Consul client configuration related to security • https://learn.hashicorp.com/consul
  2. Running Consul without any security // config.json { "data_dir": "./data",

    "bind_addr": "192.168.1.239", "advertise_addr": "192.168.1.239", "retry_join": "192.168.1.1" }
  3. Running Consul with gossip encryption // config.json { "data_dir": "./data",

    "bind_addr": "192.168.1.239", "advertise_addr": "192.168.1.239", "retry_join": "192.168.1.1", "encrypt": "f3htvkx3YdoXrODa/NEQRn0TY09tj13iiy+PeJJ8nFk=" }
  4. Running Consul with gossip encryption and TLS // config.json {

    "data_dir": "./data", "bind_addr": "192.168.1.239", "advertise_addr": "192.168.1.239", "retry_join": "192.168.1.1", "encrypt": "f3htvkx3YdoXrODa/NEQRn0TY09tj13iiy+PeJJ8nFk=", "verify_outgoing": true, "verify_server_hostname": true, "ca_file": "./consul-agent-ca.pem", "cert_file": "./dc1-client-consul-0.pem", "key_file": "./dc1-client-consul-0.pem.pem" }
  5. Running Consul with gossip encryption, TLS and ACLs // config.json

    { "data_dir": "./data", "bind_addr": "192.168.1.239", "advertise_addr": "192.168.1.239", "retry_join": "192.168.1.1", "encrypt": "f3htvkx3YdoXrODa/NEQRn0TY09tj13iiy+PeJJ8nFk=", "verify_outgoing": true, "verify_server_hostname": true, "ca_file": "./consul-agent-ca.pem", "cert_file": "./dc1-client-consul-0.pem", "key_file": "./dc1-client-consul-0.pem.pem", "acl": { "enabled": true, "tokens": { "agent": "fe31ce76-9bbf-dd55-c749-1df6224ff1d3" } } }
  6. The End? • 👏 great that you got that far,

    that was not easy • 🔐 your Consul cluster is pretty secure • 🤔 BUT: • your gossip key is stored securely for provisioning new clients • when you rotate your gossip key, new clients get the new key • your client certificate pair is stored securely as well and it has a sensible expiration date. • you rotate your client certificate • you can rotate your CA • your ACL agent has the least amount of privileges • your management token, which is used to create the above, is stored securely • 😱 At $lastjob I never rotated the gossip key, never rotated the client certs, and didn’t enable ACLs.
  7. AutoConfig • https://www.consul.io/docs/agent/options#auto_config • When starting up but before joining

    the cluster, the client agent will make an RPC to the configured server addresses to request configuration settings, such as its agent ACL token, TLS certificates, Gossip encryption key as well as other configuration settings.
  8. AutoConfig with every security feature enabled // config.json { "data_dir":

    "./data", "bind_addr": "192.168.1.239", "advertise_addr": "192.168.1.239", "ca_file": "./consul-agent-ca.pem", "auto_config": { "enabled" : true, "server_addresses": ["192.168.1.1"], "intro_token": “eyJhbGciOiJFUzI1N…” } }
  9. AutoConfig // config.json { "data_dir": "./data", "bind_addr": "192.168.1.239", "advertise_addr": "192.168.1.239",

    "ca_file": "./consul-agent-ca.pem", "auto_config": { "enabled" : true, "server_addresses": ["192.168.1.1"], "intro_token": “eyJhbGciOiJFUzI1N…” } } // config.json { "data_dir": "./data", "bind_addr": "192.168.1.239", "advertise_addr": "192.168.1.239", "retry_join": "192.168.1.1", "encrypt": "f3htvkx3YdoXrODa/ NEQRn0TY09tj13iiy+PeJJ8nFk=", "verify_outgoing": true, "verify_server_hostname": true, "ca_file": "./consul-agent-ca.pem", "cert_file": "./dc1-client-consul-0.pem", "key_file": "./dc1-client-consul-0.pem.pem", "acl": { "enabled": true, "tokens": { "agent": "fe31ce76-9bbf-dd55- c749-1df6224ff1d3" } } }
  10. AutoConfig • what is an intro_token? • where are the

    client certificates coming from? • what is Connect?
  11. AutoConfig server config { "auto_config": { "authorization": { "enabled": true,

    "static": { "jwt_validation_pub_keys": ["-----BEGIN CERTIFICATE-----\nMIICmz"], "bound_issuer": "auto-config-cluster", "bound_audiences": ["audience"], "claim_mappings": { "sub": "node" }, "claim_assertions": [ "value.node == \"${node}\"" ] } } } }
  12. Q&A