Vault em Kubernetes - Speaker Deck

Slide 1

Slide 1 text

Vault em kubernetes Carol Valencia

Slide 2

Slide 2 text

tópicos - Desafios - Introdução vault - Vault na prática - Aplicação em kubernetes usando vault

Slide 3

Slide 3 text

desaﬁos ● Credentials stored & transmitted in Plaintext format ● Credentials almost never get renewed once it is issued or manual renewal ● No PKI Certificate Management ● API Keys are hand generated and never renewed ● No SSH Key storage ● Lack of automation for secrets deployment ● …….

Slide 4

Slide 4 text

Vault features ● Secure Secret Storage ● Dynamic Secrets (Secret as a Service) ● Data Encryption ● Leasing and Renewal (Key Rotation) ● Revocation ● Audit Control ● Integration with a wide variety of Databases and Tools ● …...

Slide 5

Slide 5 text

Secure secret storage ● Basic Credentials ● Tokens, TOTP ● PKI Certificate Management (It’s easy to be your own certificate authority) ● LDAP ● SSH Keys

Slide 6

Slide 6 text

Dynamic secrets ● No need to write down, store, or share passwords ● Enables very short lived passwords, less exposure if compromised ● For distributed applications, every instance gets unique credentials ● Constantly changing and expiring usernames/passwords are much harder to brute force ● Automatic password rotation/expiration

Slide 7

Slide 7 text

Vault http api/cli

Slide 8

Slide 8 text

Vault storage backend ● Azure ● CockroachDB ● Consul ● DynamoDB ● Etcd ● Filesystem ● FoundationDB ● Google Cloud Storage ● In-Memory ● Manta ● MySQL ● PostgreSQL ● Cassandra ● S3 ● Swift ● Zookeeper

Slide 9

Slide 9 text

Vault authentication

Slide 10

Slide 10 text

Vault authentication

Slide 11

Slide 11 text

Vault authorization

Slide 12

Slide 12 text

Vault authorization

Slide 13

Slide 13 text

Vault secrets

Slide 14

Slide 14 text

Vault agent

Slide 15

Slide 15 text

Demo vaults com kubernetes - Minikube - Helm - Vault: Hashicorp - Storage: mariadb

Slide 16

Slide 16 text

Demo vaults com kubernetes - Kubernetes: minikube start - Service Account: kubectl apply -f app-vault/vault-auth-sa - Config: kubectl create configmap example-vault-agent-config --from-file=./configs-k8s/ - Vault policies & secrets: bash setup-k8s-auth.sh - Deploy app: kubectl apply -f pod-example.yml --record - Test application: curl http://localhost:8080 - Validate secret: vault kv get secret/myapp/config

Slide 17

Slide 17 text

Demo Github: https://github.com/krol3/k8s-vaults/tree/master/hashicorp Video: https://www.youtube.com/watch?v=9HshlpJM5ho

Slide 18

Slide 18 text

resources - https://medium.com/@maxy_ermayank/credential-store-using- hashicorp-vault-7d2fdeed08f2 - https://github.com/hashicorp/vault-guides/tree/master/ide ntity/vault-agent-k8s-demo - https://www.youtube.com/watch?v=B16YTeSs1hI&t=1707s -

Slide 19

Slide 19 text

Linkedin: Carol Valencia Github: krol3 Email: [email protected]