Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HashiConf EU 2016: Building secure environments in clouds using HashiCorp tools

HashiConf EU 2016: Building secure environments in clouds using HashiCorp tools

Talk given at HashiConf EU 2016 (Amsterdam). Associated video can be found here: https://www.youtube.com/watch?v=tbrQnrLExow

Nicki Watt

June 14, 2016
Tweet

More Decks by Nicki Watt

Other Decks in Technology

Transcript

  1. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Building secure
    environments in clouds using
    HashiCorp tools
    Nicki Watt
    @techiewatt
    HashiConf EU - 12/06/2016
    1

    View full-size slide

  2. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 2
    About Me
    • Hands on Lead consultant at OpenCredo

    • Co-author Neo4j In Action

    • Currently working with a UK government
    department on cloud automation project

    • Twitter: @techiewatt 


    View full-size slide

  3. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 3
    Agenda
    • What is the problem

    • What are the options

    • How: Principles, challenges, lessons, tools
    • Conclusion 


    View full-size slide

  4. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 4
    What problem are we
    trying to address?

    View full-size slide

  5. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 5
    Act 1 :
    “Take advantage of
    cloud computing”

    View full-size slide

  6. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 6
    Act 2 :
    “Efficiently
    Take advantage of more
    cloud computing”

    View full-size slide

  7. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 7

    View full-size slide

  8. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 8

    View full-size slide

  9. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 9
    How to create

    fast, repeatable, secure

    environments capable of running

    in different clouds!

    View full-size slide

  10. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 10
    An example requirement:

    Team1 needs a

    Kubernetes based development
    environment

    View full-size slide

  11. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 11
    Input:
    Environment prefix: team1
    Number K8s Slaves: 3
    Environment domain suffix: t1tools.domain.io
    Initial SSH keys: AAAEFF user1@team1
    Cloud: AWS

    View full-size slide

  12. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 12

    View full-size slide

  13. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    13
    K8S
    Master
    K8S
    Node-1
    K8S
    Node-2
    K8S
    Node-3
    Postgres DB
    Core User Solution requirements
    (Intra-cloud) Supporting Services
    VPN DNS
    Environment
    “Contract”
    •Completely isolated, need to
    VPN in to access
    •Agreed customisable IaaS
    layout
    •Agreed base software
    installed

    View full-size slide

  14. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 14
    What are our options?

    View full-size slide

  15. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 15
    you need our
    cloud management platform !

    View full-size slide

  16. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 16
    vs

    View full-size slide

  17. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 17

    View full-size slide

  18. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 18
    Principles

    View full-size slide

  19. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 19
    • Automate everything

    • Separate config from code
    • API driven clouds & tools
    • Prefer modular, open source tools

    ASAP

    View full-size slide

  20. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 20
    • Automate everything

    • Separate config from code
    • API driven clouds & tools
    • Prefer modular, open source tools

    ASAP

    View full-size slide

  21. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 21
    • Automate everything

    • Separate config from code
    • API driven clouds & tools
    • Prefer modular, open source tools

    ASAP

    View full-size slide

  22. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 22
    • Automate everything

    • Separate config from code
    • API driven clouds & tools
    • Prefer modular, open source tools

    ASAP

    View full-size slide

  23. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 23
    • Automate everything

    • Separate config from code
    • API driven clouds & tools
    • Prefer modular, open source tools

    ASAP

    View full-size slide

  24. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 24
    • Self service functionality
    • Automated environment creation 

    (under the hood) functionality

    View full-size slide

  25. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    25
    K8S
    Master
    K8S
    Node-1
    K8S
    Node-2
    K8S
    Node-3
    Postgres DB
    Core User Solution requirements
    (Intra-cloud) Supporting Services
    VPN DNS
    Environment
    “Contract”

    View full-size slide

  26. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    26
    K8S
    Master
    K8S
    Node-1
    K8S
    Node-2
    K8S
    Node-3
    Postgres DB
    Core User Solution requirements
    (Intra-cloud) Supporting Services
    VPN DNS
    Environment
    “Implementation”
    building blocks
    Configuration
    management
    tool

    View full-size slide

  27. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    27
    Core User Solution requirements
    (Intra-cloud) Supporting Services
    Environment
    “Implementation”
    building blocks

    View full-size slide

  28. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    28
    ovpn orchestrator
    k8smaster
    k8snode01 k8snode02 k8snode03
    db01
    Core User Solution requirements
    (Intra-cloud) Supporting Services
    Environment
    “Implementation”
    building blocks

    View full-size slide

  29. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    29
    ovpn orchestrator
    k8smaster
    k8snode01 k8snode02 k8snode03
    db01
    Core User Solution requirements
    (Intra-cloud) Supporting Services
    Environment
    “Implementation”
    building blocks

    View full-size slide

  30. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    30
    ovpn orchestrator
    k8smaster
    k8snode01 k8snode02 k8snode03
    db01
    Core User Solution requirements
    (Intra-cloud) Supporting Services
    VPN DNS
    Configuration
    management
    tool
    Environment
    “Implementation”
    building blocks

    View full-size slide

  31. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    31
    ovpn orchestrator
    k8smaster
    k8snode01 k8snode02 k8snode03
    db01
    Core User Solution requirements
    (Intra-cloud) Supporting Services
    VPN DNS
    Configuration
    management
    tool
    Environment
    “Implementation”
    building blocks

    View full-size slide

  32. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    32
    ovpn orchestrator
    k8smaster
    k8snode01 k8snode02 k8snode03
    db01
    Core User Solution requirements
    (Intra-cloud) Supporting Services
    VPN DNS
    Approach style:
    Mutable
    infrastructure
    Configuration
    management
    tool

    View full-size slide

  33. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 34
    How?

    View full-size slide

  34. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ^
    35
    • Automated Image creation

    • Automated IaaS Provisioning
    • Automated Instance Management
    • Securing all the things!
    Bootstrap

    View full-size slide

  35. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 36
    Core User Solution requirements
    (Intra-cloud) Supporting Services
    Challenge #1

    Automated Image Provisioning

    View full-size slide

  36. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    37

    View full-size slide

  37. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ovpn orchestrator
    k8smaster
    k8snode01 k8snode02 k8snode03
    db01
    Core User Solution requirements
    (Intra-cloud) Supporting Services
    38
    Challenge #2

    Automated IaaS Provisioning

    View full-size slide

  38. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 39
    • Networks
    • Firewall Rules
    • Routers
    • Compute 

    Resources
    • Public / Floating 

    IP Addresses

    View full-size slide

  39. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 41
    Lesson

    There is NO single
    common cloud API

    View full-size slide

  40. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 42
    Tool: Terraform

    Automated IaaS Provisioning

    View full-size slide

  41. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 43
    Creates, manages, and manipulates
    infrastructure resources.

    View full-size slide

  42. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 44
    Multiple Cloud Providers

    View full-size slide

  43. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 45
    Multiple Cloud Providers

    View full-size slide

  44. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 46
    ## OpenVPN Compute instance
    resource "openstack_compute_instance_v2" "ovpn" {
    name = "${var.env-prefix}-ovpn"
    image_name = "${var.image_name}"
    flavor_name = "${var.openvpn-flavour-name}"
    floating_ip = “${openstack_compute_floatingip_v2.
    openvpn.address}"
    ...
    }
    ## OpenVPN Public IP
    resource "openstack_compute_floatingip_v2" "openvpn" {
    region = ""
    pool = "${var.public-ip-pool}"
    ...
    }
    terraform.tf
    Declarative DSL (AWS)
    ## AWS Compute instance
    resource "aws_instance" "ovpn" {
    ami = “${var.ovpn-ami}"
    instance_type = “${var.m-openvpn-instance-type}"
    vpc_security_group_ids = [
    "${aws_security_group.ovpn.id}"]
    subnet_id = “${aws_subnet.dmz.id}"
    ...
    }
    ## DMZ network exposing Public IP
    resource "aws_subnet" "dmz" {
    vpc_id = "${aws_vpc.core.id}"
    cidr_block = “${var.m-dmz-net-cidr}"
    map_public_ip_on_launch = 1
    ...
    }
    terraform.tf

    View full-size slide

  45. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 47
    ## OpenVPN Compute instance
    resource "openstack_compute_instance_v2" "ovpn" {
    name = “${var.m-env-prefix}-ovpn"
    image_name = “${var.m-ovpn-imgname}”
    flavor_name = “${var.m-ovpn-flavour-name}"
    floating_ip = “${openstack_compute_floatingip_v2.
    openvpn.address}"
    ...
    }
    ## OpenVPN Public IP
    resource "openstack_compute_floatingip_v2" "openvpn" {
    region = ""
    pool = “${var.m-public-ip-pool}"
    ...
    }
    terraform.tf
    Declarative DSL (OpenStack)

    View full-size slide

  46. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 48
    ## OpenVPN Compute instance
    resource "openstack_compute_instance_v2" "ovpn" {
    name = “${var.m-env-prefix}-ovpn"
    image_name = “${var.m-ovpn-imgname}”
    flavor_name = “${var.m-ovpn-flavour-name}"
    floating_ip = “${openstack_compute_floatingip_v2.
    openvpn.address}"
    ...
    }
    variable “m-env-prefix" { default = "team1" }
    variable “m-ovpn-imgname” { default = "centos7-001"}
    variable “m-ovpn-flavour-name"{ default = "x1.medium" }
    terraform.tf
    inputs.tf
    Variables

    View full-size slide

  47. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 49
    ## OpenVPN Compute instance
    resource "openstack_compute_instance_v2" "ovpn" {
    name = “${var.m-env-prefix}-ovpn"
    image_name = “${var.m-ovpn-imgname}”
    flavor_name = “${var.m-ovpn-flavour-name}"
    floating_ip = “${openstack_compute_floatingip_v2.
    openvpn.address}"
    ...
    }
    ## OpenVPN Public IP
    resource "openstack_compute_floatingip_v2" "openvpn" {
    region = ""
    pool = “${var.m-public-ip-pool}"
    ...
    }
    terraform.tf
    Declarative DSL (OpenStack)

    View full-size slide

  48. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 50
    Configurable modules
    are your friend!

    View full-size slide

  49. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 51
    # External DNS (AWS Route 53)
    resource "aws_route53_record" "dns" {
    zone_id = “${var.m-route-53-domain-id}”
    name = “${var.m-dns-name}”
    type = "${var.m-type}"
    ttl = "${var.m-ttl}"
    records = [“${var.m-public-ip}"]
    }
    core.tf
    DNS Module

    View full-size slide

  50. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 52
    module "mgt" {
    source = “.../openstack/mgt”
    m-public-ip-pool = “${var.tf_public_ip_pool}”
    m-ovpn-flavour-name = “${var.tf_ovpn_flav_name}”
    m-ovpn-imgname = “${var.tf_ovpn_imgname}”

    }
    module “ext-dns" {
    source = “.../aws/dns”
    m-public-ip = “${module.mgt.ovpn-public-ip}”
    m-dns-name = “${var.tf_ext_dns_name}”

    }
    terraform.tf
    Modules are your friend!

    View full-size slide

  51. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 53
    module "mgt" {
    source = “.../openstack/mgt”
    m-public-ip-pool = “${var.tf_public_ip_pool}”
    m-ovpn-flavour-name = “${var.tf_ovpn_flav_name}”
    m-ovpn-imgname = “${var.tf_ovpn_imgname}”

    }
    module “ext-dns" {
    source = “.../aws/dns”
    m-public-ip = “${module.mgt.ovpn-public-ip}”
    m-dns-name = “${var.tf_ext_dns_name}”

    }
    terraform.tf
    Modules are your friend!

    View full-size slide

  52. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 54
    module "mgt" {
    source = “.../openstack/mgt”
    m-public-ip-pool = “${var.tf_public_ip_pool}”
    m-ovpn-flavour-name = “${var.tf_ovpn_flav_name}”
    m-ovpn-imgname = “${var.tf_ovpn_imgname}”

    }
    module “ext-dns" {
    source = “.../aws/dns”
    m-public-ip = “${module.mgt.ovpn-public-ip}”
    m-dns-name = “${var.tf_ext_dns_name}”

    }
    terraform.tf
    Modules are your friend!

    View full-size slide

  53. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 55
    cohesive multi-provider management
    is often required
    a lot sooner than you may think!

    View full-size slide

  54. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    56
    “Other” Infrastructure Providers

    View full-size slide

  55. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 57
    External DNS
    “Other” Infrastructure Providers

    View full-size slide

  56. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 58
    External DNS
    “Other” Infrastructure Providers

    View full-size slide

  57. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 59
    module "mgt" {
    source = “.../openstack/mgt”
    m-public-ip-pool = “${var.tf_public_ip_pool}”
    m-ovpn-flavour-name = “${var.tf_ovpn_flav_name}”
    m-ovpn-imgname = “${var.tf_ovpn_imgname}”

    }
    module “ext-dns" {
    source = “.../aws/dns”
    m-ovpn-public-ip = “${module.mgt.ovpn-public-ip}”
    m-dns-name = “${var.tf_ext_dns_name}”

    }
    terraform.tf
    Composed terraform file

    View full-size slide

  58. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 60
    • Adhered to all our ASAP principles
    • Handle multiple infrastructure providers

    • Compose/Generate Terraform from
    modular definitions
    • Infrastructure as code
    IaaS provisioning Summary

    View full-size slide

  59. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 62
    ovpn orchestrator
    k8smaster
    k8snode01 k8snode02 k8snode03
    db01
    Core User Solution requirements
    (Intra-cloud) Supporting Services
    VPN DNS
    Configuration
    management
    tool
    Challenge #3

    Automated Instance Management

    View full-size slide

  60. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 63
    initial bootstrap
    vs.
    longer term maintenance

    View full-size slide

  61. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    boot time

    cloud/VM instance
    customisation
    64
    configuration
    management

    tool
    Lesson:

    conscious de-coupling
    is your friend
    —>

    View full-size slide

  62. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 65
    —>
    Approach & Tools:

    Automated (Bootstrap)
    Instance Management

    View full-size slide

  63. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    cloud
    provider
    cloud
    provider
    metadat
    a
    service
    management subnet
    app
    subnet
    public IP

    View full-size slide

  64. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 67
    Boot time customisation
    of cloud instances (VMs)

    View full-size slide

  65. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 68
    Hooks into cloud provider’s
    metadata service
    cloud
    provider
    metadat
    a
    service

    View full-size slide

  66. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 69
    Accesses user supplied data
    for VM it is running on
    cloud
    provider
    metadat
    a
    service
    #cloud-config
    hostname: ${env-prefix}-jm
    fqdn: ${env-prefix}-jm.${domain}
    manage_etc_hosts: true
    puppet:
    conf:
    agent:
    server: "${env-prefix}-ipa.$
    {domain}"
    runcmd:
    - until curl -ksf https://${env-
    prefix}-ipa.${domain}:443/ca/admin/
    ca/getStatus ; do sleep 30 ; done ;
    ipa-client-install —domain=${domain}
    ... --unattended --force-join
    - export COUNT=0 ; until puppet
    agent -t ; do echo "`date` -
    Attempting to run puppet agent for
    $COUNT time" ; if [[ $COUNT -eq 3 ]]
    ; then break ; fi ; sleep 30 ;
    ((COUNT++)) ; done

    View full-size slide

  67. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 70
    Example (user-data) cloud config
    #cloud-config
    hostname: ${env-prefix}-jm
    fqdn: ${env-prefix}-jm.${domain}
    manage_etc_hosts: true
    puppet:
    conf:
    agent:
    server: "${env-prefix}-ipa.${domain}"

    View full-size slide

  68. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 71
    #cloud-config
    hostname: ${env-prefix}-jm
    fqdn: ${env-prefix}-jm.${domain}
    manage_etc_hosts: true
    puppet:
    conf:
    agent:
    server: "${env-prefix}-ipa.${domain}"
    Example (user-data) cloud config

    View full-size slide

  69. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ## OpenVPN Compute instance
    resource "openstack_compute_instance_v2" "km" {
    name = "${var.env-prefix}-km"
    image_name = "${var.image_name}"
    flavor_name = "${var.km-flavour-name}"
    user_data = "${template_file.clientconfig.rendered}"
    ...
    }
    ## UserData as input to cloud-init
    resource "template_file" "clientconfig" {
    filename = "${path.module}/clientconfig.template"
    vars {
    domain = "${var.domain}"
    env-prefix = "${var.env-prefix}"
    ...
    }
    }
    72
    Passing user-data via terraform

    View full-size slide

  70. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 73
    ## OpenVPN Compute instance
    resource "openstack_compute_instance_v2" "km" {
    name = "${var.env-prefix}-km"
    image_name = "${var.image_name}"
    flavor_name = "${var.km-flavour-name}"
    user_data = "${template_file.clientconfig.rendered}"
    ...
    }
    ## UserData as input to cloud-init
    resource "template_file" "clientconfig" {
    filename = "${path.module}/clientconfig.template"
    vars {
    domain = "${var.domain}"
    env-prefix = "${var.env-prefix}"
    ...
    }
    }
    Passing user-data via terraform

    View full-size slide

  71. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    cloud
    provider
    cloud
    provider
    metadata
    service
    management subnet
    app
    subnet
    public IP

    View full-size slide

  72. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    cloud
    provider
    cloud
    provider
    metadata
    service
    management subnet
    app
    subnet

    View full-size slide

  73. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    cloud
    provider
    cloud
    provider
    metadata
    service
    management subnet
    app
    subnet

    View full-size slide

  74. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    cloud
    provider
    cloud
    provider
    metadata
    service
    team1-orch
    management subnet
    app
    subnet

    View full-size slide

  75. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    cloud
    provider
    cloud
    provider
    metadata
    service
    team1-ovpn
    team1-orch
    team1-k8sm team1-k8sn1 team1-k8sn2 team1-db
    team1-elk
    management subnet
    app
    subnet

    View full-size slide

  76. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    cloud
    provider
    cloud
    provider
    metadata
    service
    team1-ovpn
    team1-orch
    team1-k8sm team1-k8sn1 team1-k8sn2 team1-db
    team1-elk
    management subnet
    app
    subnet

    View full-size slide

  77. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 81
    Automated Instance Mgt Summary
    • Decoupled, async bootstrap process 

    • Infrastructure as code
    • Adhered to all our ASAP principles

    • Tool swap possible: Ansible —> Puppet


    View full-size slide

  78. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ovpn orchestrator
    k8smaster
    k8snode01 k8snode02 k8snode03
    db01
    Core User Solution requirements
    (Intra-cloud) Supporting Services
    VPN DNS
    Configuration
    management
    tool
    83
    Challenge #4

    Securing all the things!

    View full-size slide

  79. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 84
    Secrets Management
    • For terraform provisioning

    • For configuration management
    • For anything needing access to sensitive stuff


    View full-size slide

  80. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 85
    Lesson:

    don’t roll your own!

    View full-size slide

  81. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 86
    Tool:

    Secure secrets management

    View full-size slide

  82. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 87
    • Unified API to access multiple backends
    • ACL policies - who can access what
    • Audit Logs

    View full-size slide

  83. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Anything
    Else

    View full-size slide

  84. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 90
    Part 1:
    Securing the automated

    IaaS provisioning process

    View full-size slide

  85. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Unseal
    Init

    View full-size slide

  86. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Unseal
    Init
    Configure
    Global Static
    Secrets

    View full-size slide

  87. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 93
    Vault write, then read back secret
    $ vault write iaas/cloud-provider-password value=ASDKJ234SF*2
    Success! Data written to: iaas/cloud-provider-password

    $ vault read iaas/cloud-provider-password
    Key Value
    lease_duration 2592000
    value ASDKJ234SF*2

    View full-size slide

  88. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Unseal
    Init
    The
    brokering
    framework/
    services
    Configure
    Global Static
    Secrets
    94

    View full-size slide

  89. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Unseal
    Init
    The
    brokering
    framework/
    services
    Configure
    Global Static
    Secrets
    Create new
    environment
    95

    View full-size slide

  90. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Unseal
    Init
    The
    cloud-env
    mgmt
    App
    The
    brokering
    framework/
    services
    Configure
    Global Static
    Secrets
    Create specific mount,
    policy & add secrets
    Create new
    environment
    96

    View full-size slide

  91. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Unseal
    Init
    The
    cloud-env
    mgmt
    App
    The
    brokering
    framework/
    services
    Configure
    Global Static
    Secrets
    Spin up
    environment
    Create specific mount,
    policy & add secrets
    Create new
    environment
    97

    View full-size slide

  92. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Unseal
    Init
    Get IaaS creds The
    brokering
    framework/
    services
    Configure
    Global Static
    Secrets
    Spin up
    environment
    Create new
    environment
    Create specific mount,
    policy & add secrets
    98

    View full-size slide

  93. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    The
    brokering
    framework/
    services
    Unseal
    Init
    Get IaaS creds
    Configure
    Global Static
    Secrets
    Spin up
    environment
    Create new
    environment
    Create specific mount,
    policy & add secrets
    99

    View full-size slide

  94. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    The
    brokering
    framework/
    services
    Unseal
    Init
    Get IaaS creds
    Encrypt
    tfstate
    (terrahelp)
    Configure
    Global Static
    Secrets
    Spin up
    environment
    Create new
    environment
    Create specific mount,
    policy & add secrets
    https://github.com/opencredo/terrahelp
    100

    View full-size slide

  95. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 101
    Benefits
    • Centralised secure storage solution
    • Flexible backends - “The right security for the job”

    View full-size slide

  96. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 102
    Part 2:

    Securing the automated

    VM bootstrap process
    —>

    View full-size slide

  97. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    cloud
    provider
    cloud
    provider
    metadat
    a
    service
    management subnet
    app
    subnet
    ?
    103

    View full-size slide

  98. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    The
    cloud-env
    mgmt
    App
    Unseal
    Init
    Get IaaS creds
    Encrypt
    tfstate
    (terrahelp)
    Spin up
    environment
    Create new
    environment
    Create specific mount,
    policy & add secrets
    104

    View full-size slide

  99. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    The
    cloud-env
    mgmt
    App
    Spin up
    environment
    Get IaaS creds,
    /team1
    + gitcred1 = x
    + gitcred2 = z
    Create specific mount,
    policy & add secrets
    Create new
    environment
    105

    View full-size slide

  100. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 106
    $ vault mount -path=team1 generic
    Successfully mounted 'generic' at ‘team1'!
    $ vault mounts
    Path Type Default TTL Max TTL Description
    cubbyhole/ cubbyhole n/a n/a per-token private secr ...
    secret/ generic system system generic secret storage
    sys/ system n/a n/a system endpoints used f...
    team1/ generic system system
    Vault create new mount

    View full-size slide

  101. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 107
    Vault write, then read back secret
    $ vault write team1/git-password value=ASDKJ234SF*2
    Success! Data written to: team1/git-password

    $ vault write team1/postgres-pwd value=S98KDJS#mvs3
    Success! Data written to: team1/postgres-pwd

    View full-size slide

  102. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 108
    $ cat team1-vm-bootstrap.policy
    path "team1/*" {
    policy = "read"
    }
    $ vault policy-write team1-vm-bootstrap team1-vm-bootstrap.policy
    Policy ‘team1-vm-bootstrap' written.
    Vault create custom policy

    View full-size slide

  103. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    The
    cloud-env
    mgmt
    App
    Spin up
    environment
    Create new
    environment
    /team1
    + gitcred1 = x
    + gitcred2 = z
    Create specific mount,
    policy & add secrets
    Get IaaS creds,
    generate real token
    109

    View full-size slide

  104. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    The
    cloud-env
    mgmt
    App
    Get IaaS creds,
    generate real token & OTP
    /team1
    + gitcred1 = x
    + gitcred2 = z
    Spin up
    environment
    Create new
    environment
    Create specific mount,
    policy & add secrets
    110

    View full-size slide

  105. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    The
    cloud-env
    mgmt
    App
    Get IaaS creds,
    generate real token & OTP
    TOKEN:
    USES: 1
    REAL
    TOKEN
    /cubbyhole
    /team1
    + gitcred1 = x
    + gitcred2 = z
    Spin up
    environment
    Create new
    environment
    Create specific mount,
    policy & add secrets
    111

    View full-size slide

  106. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    The
    cloud-env
    mgmt
    App
    TOKEN:
    USES: 1
    REAL
    TOKEN
    /cubbyhole
    /team1
    + gitcred1 = x
    + gitcred2 = z
    Get IaaS creds,
    generate real token & OTP
    Spin up
    environment
    Create new
    environment
    Create specific mount,
    policy & add secrets
    112

    View full-size slide

  107. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    TOKEN:
    USES: 1
    REAL
    TOKEN
    /cubbyhole
    cloud provider
    management subnet
    dev subnet
    orch-vm
    /team1
    + gitcred1 = x
    + gitcred2 = z
    113

    View full-size slide

  108. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    cloud provider
    management subnet
    dev subnet
    orch-vm
    TOKEN:
    USES: 1
    REAL
    TOKEN
    /cubbyhole
    /team1
    + gitcred1 = x
    + gitcred2 = z
    114

    View full-size slide

  109. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    cloud provider
    management subnet
    dev subnet
    orch-vm
    TOKEN:
    USES: 0
    /cubbyhole
    REAL
    TOKEN
    /team1
    + gitcred1 = x
    + gitcred2 = z
    115

    View full-size slide

  110. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    cloud provider
    management subnet
    dev subnet
    orch-vm
    /team1
    + gitcred1 = x
    + gitcred2 = z
    116

    View full-size slide

  111. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    cloud provider
    management subnet
    dev subnet
    orch-vm
    /team1
    + gitcred1 = x
    + gitcred2 = z
    117

    View full-size slide

  112. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 118
    $ cat team1-vm-bootstrap.policy
    path "team1/*" {
    policy = "read"
    }
    Real token - policy restricted

    View full-size slide

  113. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    /team1
    + gitcred1 = x
    + gitcred2 = z
    cloud provider
    management subnet
    dev subnet
    orch-vm
    119

    View full-size slide

  114. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    /team1
    + gitcred1 = x
    + gitcred2 = z
    cloud provider
    management subnet
    dev subnet
    orch-vm
    120

    View full-size slide

  115. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    cloud provider
    management subnet
    dev subnet
    orch-vm
    /team1
    + gitcred1 = x
    + gitcred2 = z
    121

    View full-size slide

  116. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    /team1
    + secret1 = x
    + secret2 = z
    cloud provider
    management subnet
    dev subnet
    orch-vm
    https://github.com/jsok/hiera-vault 122

    View full-size slide

  117. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 123
    Secrets Management Summary
    • Vault embodies our ASAP principles
    • Centralised secure storage solution
    • Flexible backends - “The right security for the job”

    • Granular access control

    View full-size slide

  118. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 125
    Conclusion

    View full-size slide

  119. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 126
    How to create
    fast, repeatable, secure
    environments capable of running
    in different clouds!

    View full-size slide

  120. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 127
    • Developers can create environment in minutes

    • Addressed concerns moving towards cloud
    • Start leverage promise of cloud
    • Right cloud for the job

    View full-size slide

  121. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 128
    • Combined “the right tools for the job”

    • Flexible and adaptive moving forward

    View full-size slide

  122. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 129
    “The only thing constant in life
    is change.”
    — François de La Rochefoucauld


    View full-size slide

  123. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 130
    Be true to your principles,
    but flex your tools
    (and approach)
    as required


    View full-size slide

  124. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 131
    Thanks
    Questions?
    @techiewatt

    View full-size slide