Secure Together: Consul + Vault

Slide 1

Slide 1 text

Your certificate has expired.

Slide 2

Slide 2 text

A service’s address and credentials have changed.

Slide 3

Slide 3 text

Your services are all failing.

Slide 4

Slide 4 text

How do you   secure changing services and   improve their resilience?

Slide 5

Slide 5 text

A service mesh secures service registration and communication.

Slide 6

Slide 6 text

A secrets manager automates service identity and access.

Slide 7

Slide 7 text

Secure service communication with mutual authentication. Automate service authentication and authorization.

Slide 8

Slide 8 text

Benefits Add flexibility to certificates Automate secret generation Improve system resilience Reduce operational effort

Slide 9

Slide 9 text

Note: Use integrated storage for Vault.

Slide 10

Slide 10 text

Secure service communication with mTLS.

Slide 11

Slide 11 text

Use Vault as a secrets backend for Consul.

Slide 12

Slide 12 text

Secrets for Consul Operations •TLS Certificates for Agents •Tokens for Access Control Lists (ACLs) •Encryption Key for Gossip •Enterprise License •Agent Configuration for Snapshots

Slide 13

Slide 13 text

Secrets for Service Mesh TLS Certificates for Service Mesh •Encrypt service-to-service communication •Enables mTLS for east-west traffic TLS Certificates for API Gateway •Encrypt communication to services in mesh •Enables TLS for north-south traffic

Slide 14

Slide 14 text

A Tale of Two Vault Secrets Engines PKI •Generates certificates for Consul •Handles certificate expiration automatically Key-Value Version 2 •Stores and secures static secret •Rotate secret → update Consul manually

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

Consul   Agent Offline Root CA PKI Secrets Engine /consul/server/pki /consul/server/pki_int Vault Agent Sidecar

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

Consul   Service Mesh CA Offline Root CA PKI Secrets Engine /consul/connect/pki /consul/connect/pki_int

Slide 19

Slide 19 text

Root CA (Offline Key) Intermediate CA (Level 1) Intermediate CA (Level 2) Intermediate CA (Level 3)

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

Consul   API Gateway Offline Root CA PKI Secrets Engine /consul/gateway/pki /consul/gateway/pki_int Vault CSI Provider Kubernetes Secret

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

Automate service authentication & authorization.

Slide 24

Slide 24 text

Database   (Previous) Application Database   (New) Username & Password New Username & Password

Slide 25

Slide 25 text

Use Consul-Terraform-Sync to update secrets engine in Vault each time service changes.

Slide 26

Slide 26 text

Database Secrets Engine Role Policy Kubernetes Auth Method Consul-Terraform-Sync Consul-Terraform-Sync Database   (External Service) Application

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

Secure Together Certificates, ACL Tokens Service Identity, Intentions

Slide 29

Slide 29 text

Your certificate has been rotated.

Slide 30

Slide 30 text

A service’s address and credentials have been updated.

Slide 31

Slide 31 text

Your services are still working.

Slide 32

Slide 32 text

Learn More Learn more about Vault + Consul at consul.io/docs/k8s/installation/vault Code at   github.com/joatmon08/hashicorp-stack- demoapp