Tweet
Tweet

Slide 1

Slide 1 text

CENTRALIZED CONFIGURATION EKO KURNIAWAN KHANNEDY USING CONSUL, VAULT AND SPRING CLOUD

Slide 2

Slide 2 text

CENTRALIZED CONFIGURATION AGENDA ▸ Consul ▸ Vault ▸ Spring Cloud ▸ Next Plan

Slide 3

Slide 3 text

CONSUL CENTRALIZED CONFIGURATION

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

CENTRALIZED CONFIGURATION WHAT IS CONSUL? ▸ Service Discovery (via DNS or HTTP) ▸ Failure Detection (health checking) ▸ Key-Value Storage (for dynamic configuration) ▸ Multi Datacenter

Slide 6

Slide 6 text

CENTRALIZED CONFIGURATION CONSUL CLUSTER ARCHITECTURE ▸ Datacenter ▸ Agent, a the long running daemon on every member of the Consul cluster ▸ Server, an agent with an expanded set of responsibilities ▸ Client, an agent that forwards all RPCs to a server

Slide 7

Slide 7 text

CENTRALIZED CONFIGURATION SETUP CONSUL CLUSTER IP Address Role 192.0.0.1 Bootstrap Consul Server 192.0.0.2 Consul Server 192.0.0.3 Consul Server

Slide 8

Slide 8 text

CENTRALIZED CONFIGURATION SETUP CONSUL SERVER 1 (BOOTSTRAP) {
 “bootstrap”: true,
 “server”: true,
 “datacenter”: “blibli",
 “data_dir”: “/opt/var/consul”,
 “log_level”: “INFO”,
 “bind_addr” : “192.0.0.1”,
 “client_addr” : “192.0.0.1”
 }

Slide 9

Slide 9 text

CENTRALIZED CONFIGURATION SETUP CONSUL SERVER 2 {
 “bootstrap”: false,
 “server”: true,
 “datacenter”: “blibli",
 “data_dir”: “/opt/var/consul”,
 “log_level”: “INFO”,
 “bind_addr” : “192.0.0.2”,
 “client_addr” : “192.0.0.2”,
 “start_join” : [ “192.0.0.1”, “192.0.0.3” ]
 }

Slide 10

Slide 10 text

CENTRALIZED CONFIGURATION SETUP CONSUL SERVER 3 {
 “bootstrap”: false,
 “server”: true,
 “datacenter”: “blibli",
 “data_dir”: “/opt/var/consul”,
 “log_level”: “INFO”,
 “bind_addr” : “192.0.0.3”,
 “client_addr” : “192.0.0.3”,
 “start_join” : [ “192.0.0.1”, “192.0.0.2” ]
 }

Slide 11

Slide 11 text

CENTRALIZED CONFIGURATION SETUP CONSUL CLIENT {
 “server”: false,
 “datacenter”: “blibli",
 “data_dir”: “/opt/var/consul”,
 “log_level”: “INFO”,
 “bind_addr” : “192.0.1.1”,
 “client_addr” : “192.0.1.1”,
 “start_join” : [ “192.0.0.1”, “192.0.0.2”, “192.0.0.3” ]
 }

Slide 12

Slide 12 text

CENTRALIZED CONFIGURATION START CONSUL AGENT consul agent -ui -config-dir /opt/consul/config ▸ All consul configuration saved as json file in a directory. ▸ Consul automatically read all json file in config directory.

Slide 13

Slide 13 text

CENTRALIZED CONFIGURATION

Slide 14

Slide 14 text

VAULT CENTRALIZED CONFIGURATION

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

CENTRALIZED CONFIGURATION WHAT IS VAULT? Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted Key/Value store and network encryption-as-a-service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more.

Slide 17

Slide 17 text

CENTRALIZED CONFIGURATION VAULT ARCHITECTURE CLIENT BACKEND 
 STORAGE ▸ Consul ▸ Cassandra ▸ MongoDB ▸ PostgreSQL ▸ ……

Slide 18

Slide 18 text

CENTRALIZED CONFIGURATION CONFIGURED VAULT WITH CONSUL backend "consul" {
 address = "127.0.0.1:8500"
 path = "vault"
 } listener "tcp" {
 address = "127.0.0.1:8200"
 tls_disable = 1
 }

Slide 19

Slide 19 text

CENTRALIZED CONFIGURATION START VAULT vault server -config=config.hcl

Slide 20

Slide 20 text

CENTRALIZED CONFIGURATION INITIALIZED VAULT export VAULT_ADDR='http://127.0.0.1:8200' vault init
 
 Unseal Key 1: Xjgw4P1d9f0lJZRlSqqmVM+AlHijLECiFa9cG2WwuNt+
 Unseal Key 2: c9QjPxYlYT4JBEYGVFPRS7ieE3oRIe6bfd56lXYEFv6j
 Unseal Key 3: ho7eoaQTaBiiUC4PQBuJVvFABr4w0VAlGZKdSeBYuz3w
 Unseal Key 4: NMTsFqhUstk2cKxw/iCFE7pLVAFlWB+/gDxFd/sbLll5
 Unseal Key 5: EZuPVPnjKu0TfxeOIP+qS7p1wiBJnraiO3S8WINevT7J Initial Root Token: dda76855-067d-e2b0-ff9c-4b35b3ddb05c

Slide 21

Slide 21 text

CENTRALIZED CONFIGURATION UNSEAL VAULT vault unseal vault unseal vault unseal

Slide 22

Slide 22 text

CENTRALIZED CONFIGURATION WRITE VALUE TO VAULT vault auth vault write secret/pyeongyang-common key=value

Slide 23

Slide 23 text

CENTRALIZED CONFIGURATION READ VALUE FROM VAULT vault auth vault read secret/pyeongyang-common Key Value
 --- -----
 refresh_interval 768h0m0s
 key value

Slide 24

Slide 24 text

SPRING CLOUD CENTRALIZED CONFIGURATION

Slide 25

Slide 25 text

CENTRALIZED CONFIGURATION ADD CONSUL DEPENDENCY org.springframework.cloud spring-cloud-starter-consul-config

Slide 26

Slide 26 text

CENTRALIZED CONFIGURATION ADD CONSUL CONFIGURATION (BOOTSTRAP.PROPERTIES) spring.application.name=blibli-demo spring.cloud.consul.config.fail-fast=true spring.cloud.consul.host=localhost spring.cloud.consul.port=8500

Slide 27

Slide 27 text

CENTRALIZED CONFIGURATION ADD VAULT DEPENDENCY org.springframework.cloud spring-cloud-starter-vault-config

Slide 28

Slide 28 text

CENTRALIZED CONFIGURATION ADD VAULT CONFIGURATION (BOOTSTRAP.PROPERTIES) spring.cloud.vault.fail-fast=true spring.cloud.vault.scheme=${VAULT_SCHEME} spring.cloud.vault.host=${VAULT_HOST} spring.cloud.vault.port=${VAULT_PORT} spring.cloud.vault.token=${VAULT_TOKEN}

Slide 29

Slide 29 text

DEMO

Slide 30

Slide 30 text

NEXT PLAN CENTRALIZED CONFIGURATION

Slide 31

Slide 31 text

CENTRALIZED CONFIGURATION NEXT PLAN ▸ Pyeongyang Backend Common + Member will be the first project using Consul. (June Release Train) ▸ Configuration Management for all Spring Boot Projects should use Consul + Vault. (July - August Release Train) ▸ We will use Consul as Service Registry. ▸ We will use Client Side Load Balancing.

Slide 32

Slide 32 text

CENTRALIZED CONFIGURATION REFERENCES ▸ https://www.consul.io/ ▸ https://www.vaultproject.io/ ▸ https://cloud.spring.io/spring-cloud-config/ ▸ https://cloud.spring.io/spring-cloud-consul/ ▸ http://cloud.spring.io/spring-cloud-vault/ ▸ https://spring.io/guides/gs/centralized-configuration/