Slide 1

Slide 1 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Building secure environments in clouds using HashiCorp tools Nicki Watt @techiewatt HashiConf EU - 12/06/2016 1

Slide 2

Slide 2 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 2 About Me • Hands on Lead consultant at OpenCredo
 • Co-author Neo4j In Action
 • Currently working with a UK government department on cloud automation project
 • Twitter: @techiewatt 


Slide 3

Slide 3 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 3 Agenda • What is the problem
 • What are the options
 • How: Principles, challenges, lessons, tools • Conclusion 


Slide 4

Slide 4 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 4 What problem are we trying to address?

Slide 5

Slide 5 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 5 Act 1 : “Take advantage of cloud computing”

Slide 6

Slide 6 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 6 Act 2 : “Efficiently Take advantage of more cloud computing”

Slide 7

Slide 7 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 7

Slide 8

Slide 8 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 8

Slide 9

Slide 9 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 9 How to create fast, repeatable, secure environments capable of running in different clouds!

Slide 10

Slide 10 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 10 An example requirement: Team1 needs a Kubernetes based development environment

Slide 11

Slide 11 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 11 Input: Environment prefix: team1 Number K8s Slaves: 3 Environment domain suffix: t1tools.domain.io Initial SSH keys: AAAEFF user1@team1 Cloud: AWS

Slide 12

Slide 12 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 12

Slide 13

Slide 13 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 13 K8S Master K8S Node-1 K8S Node-2 K8S Node-3 Postgres DB Core User Solution requirements (Intra-cloud) Supporting Services VPN DNS Environment “Contract” •Completely isolated, need to VPN in to access •Agreed customisable IaaS layout •Agreed base software installed

Slide 14

Slide 14 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 14 What are our options?

Slide 15

Slide 15 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 15 you need our cloud management platform !

Slide 16

Slide 16 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 16 vs

Slide 17

Slide 17 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 17

Slide 18

Slide 18 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 18 Principles

Slide 19

Slide 19 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 19 • Automate everything
 • Separate config from code • API driven clouds & tools • Prefer modular, open source tools
 ASAP

Slide 20

Slide 20 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 20 • Automate everything
 • Separate config from code • API driven clouds & tools • Prefer modular, open source tools
 ASAP

Slide 21

Slide 21 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 21 • Automate everything
 • Separate config from code • API driven clouds & tools • Prefer modular, open source tools
 ASAP

Slide 22

Slide 22 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 22 • Automate everything
 • Separate config from code • API driven clouds & tools • Prefer modular, open source tools
 ASAP

Slide 23

Slide 23 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 23 • Automate everything
 • Separate config from code • API driven clouds & tools • Prefer modular, open source tools
 ASAP

Slide 24

Slide 24 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 24 • Self service functionality • Automated environment creation 
 (under the hood) functionality

Slide 25

Slide 25 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 25 K8S Master K8S Node-1 K8S Node-2 K8S Node-3 Postgres DB Core User Solution requirements (Intra-cloud) Supporting Services VPN DNS Environment “Contract”

Slide 26

Slide 26 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 26 K8S Master K8S Node-1 K8S Node-2 K8S Node-3 Postgres DB Core User Solution requirements (Intra-cloud) Supporting Services VPN DNS Environment “Implementation” building blocks Configuration management tool

Slide 27

Slide 27 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 27 Core User Solution requirements (Intra-cloud) Supporting Services Environment “Implementation” building blocks

Slide 28

Slide 28 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 28 ovpn orchestrator k8smaster k8snode01 k8snode02 k8snode03 db01 Core User Solution requirements (Intra-cloud) Supporting Services Environment “Implementation” building blocks

Slide 29

Slide 29 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 29 ovpn orchestrator k8smaster k8snode01 k8snode02 k8snode03 db01 Core User Solution requirements (Intra-cloud) Supporting Services Environment “Implementation” building blocks

Slide 30

Slide 30 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 30 ovpn orchestrator k8smaster k8snode01 k8snode02 k8snode03 db01 Core User Solution requirements (Intra-cloud) Supporting Services VPN DNS Configuration management tool Environment “Implementation” building blocks

Slide 31

Slide 31 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 31 ovpn orchestrator k8smaster k8snode01 k8snode02 k8snode03 db01 Core User Solution requirements (Intra-cloud) Supporting Services VPN DNS Configuration management tool Environment “Implementation” building blocks

Slide 32

Slide 32 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 32 ovpn orchestrator k8smaster k8snode01 k8snode02 k8snode03 db01 Core User Solution requirements (Intra-cloud) Supporting Services VPN DNS Approach style: Mutable infrastructure Configuration management tool

Slide 33

Slide 33 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 34 How?

Slide 34

Slide 34 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ^ 35 • Automated Image creation
 • Automated IaaS Provisioning • Automated Instance Management • Securing all the things! Bootstrap

Slide 35

Slide 35 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 36 Core User Solution requirements (Intra-cloud) Supporting Services Challenge #1 Automated Image Provisioning

Slide 36

Slide 36 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 37

Slide 37

Slide 37 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ovpn orchestrator k8smaster k8snode01 k8snode02 k8snode03 db01 Core User Solution requirements (Intra-cloud) Supporting Services 38 Challenge #2 Automated IaaS Provisioning

Slide 38

Slide 38 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 39 • Networks • Firewall Rules • Routers • Compute 
 Resources • Public / Floating 
 IP Addresses

Slide 39

Slide 39 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 41 Lesson There is NO single common cloud API

Slide 40

Slide 40 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 42 Tool: Terraform Automated IaaS Provisioning

Slide 41

Slide 41 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 43 Creates, manages, and manipulates infrastructure resources.

Slide 42

Slide 42 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 44 Multiple Cloud Providers

Slide 43

Slide 43 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 45 Multiple Cloud Providers

Slide 44

Slide 44 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 46 ## OpenVPN Compute instance resource "openstack_compute_instance_v2" "ovpn" { name = "${var.env-prefix}-ovpn" image_name = "${var.image_name}" flavor_name = "${var.openvpn-flavour-name}" floating_ip = “${openstack_compute_floatingip_v2. openvpn.address}" ... } ## OpenVPN Public IP resource "openstack_compute_floatingip_v2" "openvpn" { region = "" pool = "${var.public-ip-pool}" ... } terraform.tf Declarative DSL (AWS) ## AWS Compute instance resource "aws_instance" "ovpn" { ami = “${var.ovpn-ami}" instance_type = “${var.m-openvpn-instance-type}" vpc_security_group_ids = [ "${aws_security_group.ovpn.id}"] subnet_id = “${aws_subnet.dmz.id}" ... } ## DMZ network exposing Public IP resource "aws_subnet" "dmz" { vpc_id = "${aws_vpc.core.id}" cidr_block = “${var.m-dmz-net-cidr}" map_public_ip_on_launch = 1 ... } terraform.tf

Slide 45

Slide 45 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 47 ## OpenVPN Compute instance resource "openstack_compute_instance_v2" "ovpn" { name = “${var.m-env-prefix}-ovpn" image_name = “${var.m-ovpn-imgname}” flavor_name = “${var.m-ovpn-flavour-name}" floating_ip = “${openstack_compute_floatingip_v2. openvpn.address}" ... } ## OpenVPN Public IP resource "openstack_compute_floatingip_v2" "openvpn" { region = "" pool = “${var.m-public-ip-pool}" ... } terraform.tf Declarative DSL (OpenStack)

Slide 46

Slide 46 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 48 ## OpenVPN Compute instance resource "openstack_compute_instance_v2" "ovpn" { name = “${var.m-env-prefix}-ovpn" image_name = “${var.m-ovpn-imgname}” flavor_name = “${var.m-ovpn-flavour-name}" floating_ip = “${openstack_compute_floatingip_v2. openvpn.address}" ... } variable “m-env-prefix" { default = "team1" } variable “m-ovpn-imgname” { default = "centos7-001"} variable “m-ovpn-flavour-name"{ default = "x1.medium" } terraform.tf inputs.tf Variables

Slide 47

Slide 47 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 49 ## OpenVPN Compute instance resource "openstack_compute_instance_v2" "ovpn" { name = “${var.m-env-prefix}-ovpn" image_name = “${var.m-ovpn-imgname}” flavor_name = “${var.m-ovpn-flavour-name}" floating_ip = “${openstack_compute_floatingip_v2. openvpn.address}" ... } ## OpenVPN Public IP resource "openstack_compute_floatingip_v2" "openvpn" { region = "" pool = “${var.m-public-ip-pool}" ... } terraform.tf Declarative DSL (OpenStack)

Slide 48

Slide 48 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 50 Configurable modules are your friend!

Slide 49

Slide 49 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 51 # External DNS (AWS Route 53) resource "aws_route53_record" "dns" { zone_id = “${var.m-route-53-domain-id}” name = “${var.m-dns-name}” type = "${var.m-type}" ttl = "${var.m-ttl}" records = [“${var.m-public-ip}"] } core.tf DNS Module

Slide 50

Slide 50 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 52 module "mgt" { source = “.../openstack/mgt” m-public-ip-pool = “${var.tf_public_ip_pool}” m-ovpn-flavour-name = “${var.tf_ovpn_flav_name}” m-ovpn-imgname = “${var.tf_ovpn_imgname}” … } module “ext-dns" { source = “.../aws/dns” m-public-ip = “${module.mgt.ovpn-public-ip}” m-dns-name = “${var.tf_ext_dns_name}” … } terraform.tf Modules are your friend!

Slide 51

Slide 51 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 53 module "mgt" { source = “.../openstack/mgt” m-public-ip-pool = “${var.tf_public_ip_pool}” m-ovpn-flavour-name = “${var.tf_ovpn_flav_name}” m-ovpn-imgname = “${var.tf_ovpn_imgname}” … } module “ext-dns" { source = “.../aws/dns” m-public-ip = “${module.mgt.ovpn-public-ip}” m-dns-name = “${var.tf_ext_dns_name}” … } terraform.tf Modules are your friend!

Slide 52

Slide 52 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 54 module "mgt" { source = “.../openstack/mgt” m-public-ip-pool = “${var.tf_public_ip_pool}” m-ovpn-flavour-name = “${var.tf_ovpn_flav_name}” m-ovpn-imgname = “${var.tf_ovpn_imgname}” … } module “ext-dns" { source = “.../aws/dns” m-public-ip = “${module.mgt.ovpn-public-ip}” m-dns-name = “${var.tf_ext_dns_name}” … } terraform.tf Modules are your friend!

Slide 53

Slide 53 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 55 cohesive multi-provider management is often required a lot sooner than you may think!

Slide 54

Slide 54 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 56 “Other” Infrastructure Providers

Slide 55

Slide 55 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 57 External DNS “Other” Infrastructure Providers

Slide 56

Slide 56 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 58 External DNS “Other” Infrastructure Providers

Slide 57

Slide 57 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 59 module "mgt" { source = “.../openstack/mgt” m-public-ip-pool = “${var.tf_public_ip_pool}” m-ovpn-flavour-name = “${var.tf_ovpn_flav_name}” m-ovpn-imgname = “${var.tf_ovpn_imgname}” … } module “ext-dns" { source = “.../aws/dns” m-ovpn-public-ip = “${module.mgt.ovpn-public-ip}” m-dns-name = “${var.tf_ext_dns_name}” … } terraform.tf Composed terraform file

Slide 58

Slide 58 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 60 • Adhered to all our ASAP principles • Handle multiple infrastructure providers
 • Compose/Generate Terraform from modular definitions • Infrastructure as code IaaS provisioning Summary

Slide 59

Slide 59 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 62 ovpn orchestrator k8smaster k8snode01 k8snode02 k8snode03 db01 Core User Solution requirements (Intra-cloud) Supporting Services VPN DNS Configuration management tool Challenge #3 Automated Instance Management

Slide 60

Slide 60 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 63 initial bootstrap vs. longer term maintenance

Slide 61

Slide 61 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- boot time cloud/VM instance customisation 64 configuration management tool Lesson: conscious de-coupling is your friend —>

Slide 62

Slide 62 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 65 —> Approach & Tools: Automated (Bootstrap) Instance Management

Slide 63

Slide 63 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider cloud provider metadat a service management subnet app subnet public IP

Slide 64

Slide 64 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 67 Boot time customisation of cloud instances (VMs)

Slide 65

Slide 65 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 68 Hooks into cloud provider’s metadata service cloud provider metadat a service

Slide 66

Slide 66 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 69 Accesses user supplied data for VM it is running on cloud provider metadat a service #cloud-config hostname: ${env-prefix}-jm fqdn: ${env-prefix}-jm.${domain} manage_etc_hosts: true puppet: conf: agent: server: "${env-prefix}-ipa.$ {domain}" runcmd: - until curl -ksf https://${env- prefix}-ipa.${domain}:443/ca/admin/ ca/getStatus ; do sleep 30 ; done ; ipa-client-install —domain=${domain} ... --unattended --force-join - export COUNT=0 ; until puppet agent -t ; do echo "`date` - Attempting to run puppet agent for $COUNT time" ; if [[ $COUNT -eq 3 ]] ; then break ; fi ; sleep 30 ; ((COUNT++)) ; done

Slide 67

Slide 67 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 70 Example (user-data) cloud config #cloud-config hostname: ${env-prefix}-jm fqdn: ${env-prefix}-jm.${domain} manage_etc_hosts: true puppet: conf: agent: server: "${env-prefix}-ipa.${domain}"

Slide 68

Slide 68 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 71 #cloud-config hostname: ${env-prefix}-jm fqdn: ${env-prefix}-jm.${domain} manage_etc_hosts: true puppet: conf: agent: server: "${env-prefix}-ipa.${domain}" Example (user-data) cloud config

Slide 69

Slide 69 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ## OpenVPN Compute instance resource "openstack_compute_instance_v2" "km" { name = "${var.env-prefix}-km" image_name = "${var.image_name}" flavor_name = "${var.km-flavour-name}" user_data = "${template_file.clientconfig.rendered}" ... } ## UserData as input to cloud-init resource "template_file" "clientconfig" { filename = "${path.module}/clientconfig.template" vars { domain = "${var.domain}" env-prefix = "${var.env-prefix}" ... } } 72 Passing user-data via terraform

Slide 70

Slide 70 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 73 ## OpenVPN Compute instance resource "openstack_compute_instance_v2" "km" { name = "${var.env-prefix}-km" image_name = "${var.image_name}" flavor_name = "${var.km-flavour-name}" user_data = "${template_file.clientconfig.rendered}" ... } ## UserData as input to cloud-init resource "template_file" "clientconfig" { filename = "${path.module}/clientconfig.template" vars { domain = "${var.domain}" env-prefix = "${var.env-prefix}" ... } } Passing user-data via terraform

Slide 71

Slide 71 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider cloud provider metadata service management subnet app subnet public IP

Slide 72

Slide 72 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider cloud provider metadata service management subnet app subnet

Slide 73

Slide 73 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider cloud provider metadata service management subnet app subnet

Slide 74

Slide 74 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider cloud provider metadata service team1-orch management subnet app subnet

Slide 75

Slide 75 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider cloud provider metadata service team1-ovpn team1-orch team1-k8sm team1-k8sn1 team1-k8sn2 team1-db team1-elk management subnet app subnet

Slide 76

Slide 76 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider cloud provider metadata service team1-ovpn team1-orch team1-k8sm team1-k8sn1 team1-k8sn2 team1-db team1-elk management subnet app subnet

Slide 77

Slide 77 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 81 Automated Instance Mgt Summary • Decoupled, async bootstrap process 
 • Infrastructure as code • Adhered to all our ASAP principles
 • Tool swap possible: Ansible —> Puppet


Slide 78

Slide 78 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ovpn orchestrator k8smaster k8snode01 k8snode02 k8snode03 db01 Core User Solution requirements (Intra-cloud) Supporting Services VPN DNS Configuration management tool 83 Challenge #4 Securing all the things!

Slide 79

Slide 79 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 84 Secrets Management • For terraform provisioning
 • For configuration management • For anything needing access to sensitive stuff
 


Slide 80

Slide 80 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 85 Lesson: don’t roll your own!

Slide 81

Slide 81 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 86 Tool: Secure secrets management

Slide 82

Slide 82 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 87 • Unified API to access multiple backends • ACL policies - who can access what • Audit Logs

Slide 83

Slide 83 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Anything Else

Slide 84

Slide 84 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 90 Part 1: Securing the automated IaaS provisioning process

Slide 85

Slide 85 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Init

Slide 86

Slide 86 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Init Configure Global Static Secrets

Slide 87

Slide 87 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 93 Vault write, then read back secret $ vault write iaas/cloud-provider-password value=ASDKJ234SF*2 Success! Data written to: iaas/cloud-provider-password
 $ vault read iaas/cloud-provider-password Key Value lease_duration 2592000 value ASDKJ234SF*2

Slide 88

Slide 88 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Init The brokering framework/ services Configure Global Static Secrets 94

Slide 89

Slide 89 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Init The brokering framework/ services Configure Global Static Secrets Create new environment 95

Slide 90

Slide 90 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Init The cloud-env mgmt App The brokering framework/ services Configure Global Static Secrets Create specific mount, policy & add secrets Create new environment 96

Slide 91

Slide 91 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Init The cloud-env mgmt App The brokering framework/ services Configure Global Static Secrets Spin up environment Create specific mount, policy & add secrets Create new environment 97

Slide 92

Slide 92 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Init Get IaaS creds The brokering framework/ services Configure Global Static Secrets Spin up environment Create new environment Create specific mount, policy & add secrets 98

Slide 93

Slide 93 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The brokering framework/ services Unseal Init Get IaaS creds Configure Global Static Secrets Spin up environment Create new environment Create specific mount, policy & add secrets 99

Slide 94

Slide 94 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The brokering framework/ services Unseal Init Get IaaS creds Encrypt tfstate (terrahelp) Configure Global Static Secrets Spin up environment Create new environment Create specific mount, policy & add secrets https://github.com/opencredo/terrahelp 100

Slide 95

Slide 95 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 101 Benefits • Centralised secure storage solution • Flexible backends - “The right security for the job” 


Slide 96

Slide 96 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 102 Part 2: Securing the automated VM bootstrap process —>

Slide 97

Slide 97 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider cloud provider metadat a service management subnet app subnet ? 103

Slide 98

Slide 98 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The cloud-env mgmt App Unseal Init Get IaaS creds Encrypt tfstate (terrahelp) Spin up environment Create new environment Create specific mount, policy & add secrets 104

Slide 99

Slide 99 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The cloud-env mgmt App Spin up environment Get IaaS creds, /team1 + gitcred1 = x + gitcred2 = z Create specific mount, policy & add secrets Create new environment 105

Slide 100

Slide 100 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 106 $ vault mount -path=team1 generic Successfully mounted 'generic' at ‘team1'! $ vault mounts Path Type Default TTL Max TTL Description cubbyhole/ cubbyhole n/a n/a per-token private secr ... secret/ generic system system generic secret storage sys/ system n/a n/a system endpoints used f... team1/ generic system system Vault create new mount

Slide 101

Slide 101 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 107 Vault write, then read back secret $ vault write team1/git-password value=ASDKJ234SF*2 Success! Data written to: team1/git-password
 $ vault write team1/postgres-pwd value=S98KDJS#mvs3 Success! Data written to: team1/postgres-pwd

Slide 102

Slide 102 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 108 $ cat team1-vm-bootstrap.policy path "team1/*" { policy = "read" } $ vault policy-write team1-vm-bootstrap team1-vm-bootstrap.policy Policy ‘team1-vm-bootstrap' written. Vault create custom policy

Slide 103

Slide 103 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The cloud-env mgmt App Spin up environment Create new environment /team1 + gitcred1 = x + gitcred2 = z Create specific mount, policy & add secrets Get IaaS creds, generate real token 109

Slide 104

Slide 104 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The cloud-env mgmt App Get IaaS creds, generate real token & OTP /team1 + gitcred1 = x + gitcred2 = z Spin up environment Create new environment Create specific mount, policy & add secrets 110

Slide 105

Slide 105 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The cloud-env mgmt App Get IaaS creds, generate real token & OTP TOKEN: USES: 1 REAL TOKEN /cubbyhole /team1 + gitcred1 = x + gitcred2 = z Spin up environment Create new environment Create specific mount, policy & add secrets 111

Slide 106

Slide 106 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The cloud-env mgmt App TOKEN: USES: 1 REAL TOKEN /cubbyhole /team1 + gitcred1 = x + gitcred2 = z Get IaaS creds, generate real token & OTP Spin up environment Create new environment Create specific mount, policy & add secrets 112

Slide 107

Slide 107 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- TOKEN: USES: 1 REAL TOKEN /cubbyhole cloud provider management subnet dev subnet orch-vm /team1 + gitcred1 = x + gitcred2 = z 113

Slide 108

Slide 108 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm TOKEN: USES: 1 REAL TOKEN /cubbyhole /team1 + gitcred1 = x + gitcred2 = z 114

Slide 109

Slide 109 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm TOKEN: USES: 0 /cubbyhole REAL TOKEN /team1 + gitcred1 = x + gitcred2 = z 115

Slide 110

Slide 110 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm /team1 + gitcred1 = x + gitcred2 = z 116

Slide 111

Slide 111 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm /team1 + gitcred1 = x + gitcred2 = z 117

Slide 112

Slide 112 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 118 $ cat team1-vm-bootstrap.policy path "team1/*" { policy = "read" } Real token - policy restricted

Slide 113

Slide 113 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- /team1 + gitcred1 = x + gitcred2 = z cloud provider management subnet dev subnet orch-vm 119

Slide 114

Slide 114 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- /team1 + gitcred1 = x + gitcred2 = z cloud provider management subnet dev subnet orch-vm 120

Slide 115

Slide 115 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm /team1 + gitcred1 = x + gitcred2 = z 121

Slide 116

Slide 116 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- /team1 + secret1 = x + secret2 = z cloud provider management subnet dev subnet orch-vm https://github.com/jsok/hiera-vault 122

Slide 117

Slide 117 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 123 Secrets Management Summary • Vault embodies our ASAP principles • Centralised secure storage solution • Flexible backends - “The right security for the job”
 • Granular access control 


Slide 118

Slide 118 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 125 Conclusion

Slide 119

Slide 119 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 126 How to create fast, repeatable, secure environments capable of running in different clouds!

Slide 120

Slide 120 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 127 • Developers can create environment in minutes
 • Addressed concerns moving towards cloud • Start leverage promise of cloud • Right cloud for the job 


Slide 121

Slide 121 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 128 • Combined “the right tools for the job”
 • Flexible and adaptive moving forward

Slide 122

Slide 122 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 129 “The only thing constant in life is change.” — François de La Rochefoucauld


Slide 123

Slide 123 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 130 Be true to your principles, but flex your tools (and approach) as required


Slide 124

Slide 124 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 131 Thanks Questions? @techiewatt