@ TU • Started Working as Backend Developer 2017 • Experience as Backend/Frontend Dev • Managing on-Prem and Cloud Workloads • Cloud Engineer @ Posedio Manuel Eiweck Concepts of Vault Setup on-Prem Transition to GCP
simplicity • Coupled with Google IAM Authentication/Authorisation • Limited Multi-Tenancy ability - via GCP Projects • Simple Key Value store • GCP only - no cross-platform integration
Secret Manager • Google IAM + K8s, JWT/OIDC, Gitlab, Keycloak, … • Full Multi Tenancy ability + Fine Granular Access Control Lists • GCP + on-Prem and other cloud vendors • Key Value Store + Dynamic Secrets • Encryption as a Service highly customizable
Node Load Balancer • “Distribute” between Leader and non Leader Nodes • —> Detect Leader via Health check • TLS/SSL Termination / Offloading at load balancer for Users: https://myvault.company.com Optional: http(s)://node1.myvault.company.com/v1/sys/health 200: if initialized, unsealed, and active 473 : if performance standby https://developer.hashicorp.com/ vault/api-docs/system/health …/v1/sys/health?standbycode=200 => Overwrite Status codes
Managed VMs • “Low Level” direct control of resources instead of using another virtualization layer like Kubernetes • Encouraged by HashiCorp due to lower dependencies on 3rd party systems • Make use of IT concepts like VMs instead of products like Compute Engine • Loosely coupled to GCP - possibility to transition to another Cloud Vendor • Better manageable costs
"google_compute_region_backend_service" "vault-backend-service" { project = local.gcp_project_id name = "${local.instance_name}-backend-service" protocol = "HTTPS" load_balancing_scheme = "INTERNAL_MANAGED" health_checks = [google_compute_health_check.loadbalancer.id] region = local.gcp_region backend { group = google_compute_region_instance_group_manager.vault.instance_group capacity_scaler = 1.0 balancing_mode = "UTILIZATION" } } resource "google_compute_health_check" "loadbalancer" { ... https_health_check { port = local.network_vault_api_port request_path = "/v1/sys/health" # The load balancer will only direct traffic towards the ACTIVE node. } } OnPrem GCP Highly depends on what type of service you want: * Regional vs Global * Public or Private Network
Use basic VMs “compute instance” • Build a startup.sh Script for installing and pass to compute instance • Build the myVaultConfig.yml Config File • Use Bucket as GCS Storage Backend (Persistence + HA) • Use Key Ring for Auto Unseal • Use managed Instance Group for HA Setup • Use health check for distributing traffic to the leader node
- Leader election - Persistence Storage (Secrets & Config) - HA via Google Storage /v1/sys/health Authentication Provider Managed Instance Group VM 1 VM 2 VM 3 - Autohealing - Managed Vault Installation (bash) - Managed Vault HCL Config Google KMS Key Ring - Managed rotation of key - Auto unseal - Secured via Google IAM Forward Rule HTTPS Proxy Google Load Balancer URL Map Backend Service LB Heal Check - SSL Offloading - Redirecting to Leader Node
• “Golden Image” -> Instead of Bash Scripts on Bootup: use Hashicorp Packer to build an ‘VM Image’ => instead of plain debian-cloud/debian-12 • Security Hardening: SSH, Automated VM OS Patches, Network Policies, … • Integrate Google Alerting and Dashboard
43 • Have a standardised way to share secrets within your company / team. • Take advantage of fully managed service. • Integrate separated Authentication Provider • Customize to your needs • Fully compatible to GCP, other Cloud Vendors and onPrem workloads • Secure by design by using industry standards like Vault