Autoconfiguration of Consul Clients

Hans Hasselberg twitter.com/hanshasselberg

Running Consul • Running Consul securely is hard • Focus on Consul client configuration related to security • https://learn.hashicorp.com/consul

No content

Running Consul without any security // config.json { "data_dir": "./data", "bind_addr": "192.168.1.239", "advertise_addr": "192.168.1.239", "retry_join": "192.168.1.1" }

Running Consul with gossip encryption // config.json { "data_dir": "./data", "bind_addr": "192.168.1.239", "advertise_addr": "192.168.1.239", "retry_join": "192.168.1.1", "encrypt": "f3htvkx3YdoXrODa/NEQRn0TY09tj13iiy+PeJJ8nFk=" }

Running Consul with gossip encryption and TLS // config.json { "data_dir": "./data", "bind_addr": "192.168.1.239", "advertise_addr": "192.168.1.239", "retry_join": "192.168.1.1", "encrypt": "f3htvkx3YdoXrODa/NEQRn0TY09tj13iiy+PeJJ8nFk=", "verify_outgoing": true, "verify_server_hostname": true, "ca_file": "./consul-agent-ca.pem", "cert_file": "./dc1-client-consul-0.pem", "key_file": "./dc1-client-consul-0.pem.pem" }

Running Consul with gossip encryption, TLS and ACLs // config.json { "data_dir": "./data", "bind_addr": "192.168.1.239", "advertise_addr": "192.168.1.239", "retry_join": "192.168.1.1", "encrypt": "f3htvkx3YdoXrODa/NEQRn0TY09tj13iiy+PeJJ8nFk=", "verify_outgoing": true, "verify_server_hostname": true, "ca_file": "./consul-agent-ca.pem", "cert_file": "./dc1-client-consul-0.pem", "key_file": "./dc1-client-consul-0.pem.pem", "acl": { "enabled": true, "tokens": { "agent": "fe31ce76-9bbf-dd55-c749-1df6224ff1d3" } } }

The End? • 👏 great that you got that far, that was not easy • 🔐 your Consul cluster is pretty secure • 🤔 BUT: • your gossip key is stored securely for provisioning new clients • when you rotate your gossip key, new clients get the new key • your client certificate pair is stored securely as well and it has a sensible expiration date. • you rotate your client certificate • you can rotate your CA • your ACL agent has the least amount of privileges • your management token, which is used to create the above, is stored securely • 😱 At $lastjob I never rotated the gossip key, never rotated the client certs, and didn’t enable ACLs.

AutoConfig • https://www.consul.io/docs/agent/options#auto_config • When starting up but before joining the cluster, the client agent will make an RPC to the configured server addresses to request configuration settings, such as its agent ACL token, TLS certificates, Gossip encryption key as well as other configuration settings.

AutoConfig with every security feature enabled // config.json { "data_dir": "./data", "bind_addr": "192.168.1.239", "advertise_addr": "192.168.1.239", "ca_file": "./consul-agent-ca.pem", "auto_config": { "enabled" : true, "server_addresses": ["192.168.1.1"], "intro_token": “eyJhbGciOiJFUzI1N…” } }

AutoConfig // config.json { "data_dir": "./data", "bind_addr": "192.168.1.239", "advertise_addr": "192.168.1.239", "ca_file": "./consul-agent-ca.pem", "auto_config": { "enabled" : true, "server_addresses": ["192.168.1.1"], "intro_token": “eyJhbGciOiJFUzI1N…” } } // config.json { "data_dir": "./data", "bind_addr": "192.168.1.239", "advertise_addr": "192.168.1.239", "retry_join": "192.168.1.1", "encrypt": "f3htvkx3YdoXrODa/ NEQRn0TY09tj13iiy+PeJJ8nFk=", "verify_outgoing": true, "verify_server_hostname": true, "ca_file": "./consul-agent-ca.pem", "cert_file": "./dc1-client-consul-0.pem", "key_file": "./dc1-client-consul-0.pem.pem", "acl": { "enabled": true, "tokens": { "agent": "fe31ce76-9bbf-dd55- c749-1df6224ff1d3" } } }

AutoConfig • what is an intro_token? • where are the client certificates coming from? • what is Connect?

AutoConfig server config { "auto_config": { "authorization": { "enabled": true, "static": { "jwt_validation_pub_keys": ["-----BEGIN CERTIFICATE-----\nMIICmz"], "bound_issuer": "auto-config-cluster", "bound_audiences": ["audience"], "claim_mappings": { "sub": "node" }, "claim_assertions": [ "value.node == \"${node}\"" ] } } } }

Q&A