Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Together: Consul + Vault

Rosemary Wang
June 22, 2022
Technology
1
140

Secure Together: Consul + Vault

Originally presented at HashiConf EU 2022.

How do you better secure service-to-service communication? In this session, you will learn the ways you can combine Consul and Vault to encrypt traffic between services, control API authorization, and implement least-privilege access across services. Dive into setting up Vault to manage certificates for Consul API Gateway and service mesh on Kubernetes, Consul-Terraform-Sync to automate Vault configuration, and Consul intentions and Vault secrets engines to control access to services.

Rosemary Wang

June 22, 2022
Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang
Can You Test Your Infrastructure as Code?
joatmon08
1
11
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
12
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
9
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
13
Break Glass, Repair Fast, Reconcile Automation
joatmon08
2
24
Building a Developer Platform? Ask these questions.
joatmon08
0
10
From Cloud-Hosted to Cloud-Native
joatmon08
0
41
Refactoring Applications for Dynamic Secrets
joatmon08
1
29
Catching Commits to Secure Infrastructure as Code
joatmon08
1
39

Other Decks in Technology

See All in Technology
NLP2024 参加報告LT ~RAGの生成評価と懇親戦略~ / nlp2024_attendee_presentation_LT_masuda
taro_masuda
1
190
検証を通して見えてきたTiDBの性能特性
lycorptech_jp
PRO
4
1.9k
【SORACOM UG】SIM Deep Dive セキュアエレメント編
soracom
PRO
0
230
Tableau事例紹介 / Tableau Case Study of Eureka
kazuya_araki_tokyo
1
170
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
180
AWS を使う上で知っておきたいオンプレミス知識/aws-on-premise-essentials
emiki
1
4.1k
Databricks におけるデータエンジニアリング
databricksjapan
0
370
Why we expect the Microservices
shkitayama
2
320
長期運用プロジェクトでのMySQLからTiDB移行の検証
colopl
1
190
ここが嬉しいABAC ここが辛いよABAC #再解説+補足編
masahirokawahara
0
160
Garoon 開発チーム / Garoon development team
cybozuinsideout
PRO
1
2.9k
Postman v10リリース後を振り返る
nagix
0
110

Featured

See All Featured
Faster Mobile Websites
deanohume
296
30k
Practical Orchestrator
shlominoach
181
9.7k
Building Effective Engineering Teams - LeadDev
addyosmani
26
1.8k
Docker and Python
trallard
33
2.7k
Web Components: a chance to create the future
zenorocha
304
41k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
355
22k
Raft: Consensus for Rubyists
vanstee
131
6.2k
Making the Leap to Tech Lead
cromwellryan
123
8.5k
The Power of CSS Pseudo Elements
geoffreycrofte
58
5k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
The Language of Interfaces
destraynor
151
23k
Code Reviewing Like a Champion
maltzj
513
39k

Transcript

  1. Your certificate has expired.

  2. A service’s address and credentials have changed.

  3. Your services are all failing.

  4. How do you 
 secure changing services and 
 improve

    their resilience?

  5. A service mesh secures service registration and communication.

  6. A secrets manager automates service identity and access.

  7. Secure service communication with mutual authentication. Automate service authentication and

    authorization.

  8. Benefits Add flexibility to certificates Automate secret generation Improve system

    resilience Reduce operational effort

  9. Note: Use integrated storage for Vault.

  10. Secure service communication with mTLS.

  11. Use Vault as a secrets backend for Consul.

  12. Secrets for Consul Operations •TLS Certificates for Agents •Tokens for

    Access Control Lists (ACLs) •Encryption Key for Gossip •Enterprise License •Agent Configuration for Snapshots

  13. Secrets for Service Mesh TLS Certificates for Service Mesh •Encrypt

    service-to-service communication •Enables mTLS for east-west traffic TLS Certificates for API Gateway •Encrypt communication to services in mesh •Enables TLS for north-south traffic

  14. A Tale of Two Vault Secrets Engines PKI •Generates certificates

    for Consul •Handles certificate expiration automatically Key-Value Version 2 •Stores and secures static secret •Rotate secret → update Consul manually
  15. None

  16. Consul 
 Agent Offline Root CA PKI Secrets Engine /consul/server/pki

    /consul/server/pki_int Vault Agent Sidecar
  17. None

  18. Consul 
 Service Mesh CA Offline Root CA PKI Secrets

    Engine /consul/connect/pki /consul/connect/pki_int

  19. Root CA (Offline Key) Intermediate CA (Level 1) Intermediate CA

    (Level 2) Intermediate CA (Level 3)
  20. None

  21. Consul 
 API Gateway Offline Root CA PKI Secrets Engine

    /consul/gateway/pki /consul/gateway/pki_int Vault CSI Provider Kubernetes Secret
  22. None

  23. Automate service authentication & authorization.

  24. Database 
 (Previous) Application Database 
 (New) Username & Password

    New Username & Password

  25. Use Consul-Terraform-Sync to update secrets engine in Vault each time

    service changes.

  26. Database Secrets Engine Role Policy Kubernetes Auth Method Consul-Terraform-Sync Consul-Terraform-Sync

    Database 
 (External Service) Application
  27. None

  28. Secure Together Certificates, ACL Tokens Service Identity, Intentions

  29. Your certificate has been rotated.

  30. A service’s address and credentials have been updated.

  31. Your services are still working.

  32. Learn More Learn more about Vault + Consul at consul.io/docs/k8s/installation/vault

    Code at 
 github.com/joatmon08/hashicorp-stack- demoapp