Consul, Vault, and the 12 Factor App

Transcript

1. Consul, Vault, and the Twelve- Factor App Tim Hartmann
 ADI

   SRE Team

2. !2 • Cloud Native Application is the strategy • The

   Twelve-Factor App is the methodology • Tools! • Consul - Service Discovery, KV, and so much more • Vault - Secret Storage… and more! • sooo many tools….

3. Why should anyone care about all this stuff? • Building

   Cloud Native Apps • Twelve-Factor Apps • DevOps • Continuous Delivery • Micro Services • Consul • Vault • Docker • envconsul • consul-template • Buzzword, Buzzword… • Wait, wait, wait… • Why do you care? • Why do I ? !3

4. !4 • You are in control. • More Speed! (aka

   Disposability) • The desire to have application start / stop quickly to improve scalability, code, or config changes. • Deployments are easier (also Less pages at 4am!) • “Need to know” - I don’t need to know how it works. • Stability and scalability of the application • SRE is not in the critical path for changes! • Less pages at 4am! Why do you care ? Why do I?

5. So, how can tools help? Lets talk about the 3rd

   factor, CONFIGS • The Third of the twelve-factors - Configs • Strictly separating configs from code, configs change across deploys, code does not. • What are some examples of configs that you know about? !5

6. So, how can tools help? Lets talk about the 3rd

   factor, CONFIGS • The Third of the twelve-factors - Configs • Strictly separating configs from code, configs change across deploys, code does not. • What are some examples of configs that you know about? • Some example questions that you might want to answer • To which Database should I connect? • What credentials should I use to connect? !6

7. !7 Using Consul to look up info!
 AKA - Stuff

   thats Not-So-Secret! • Consul provides a standard method to pass configs to the application environment. • GUI, DNS API, and REST API Interfaces • Helper tools, envconsul, and consul-template make this easier to wrap the application. • envconsul allows us to inject configs into the environment from a Consul or Vault lookup • consul-template allows uses a templating language to write configs and secrets, and supervise application startups and behavior. • We use these helpers as entry points when running applications out of Docker. • consul-template has some extra features • it allows us to keep *secrets* out of the environment, where they are more easily read

8. !8

9. !9 Vault - Where the secrets are! • Vault provides

   a standard method to pass *secrets* to the application environment. • Secure KV Store for storing static secrets. (1Password for infrastructure) • Dynamic Secrets!! • Why did I put a REAL PASSWORD in a SLIDE • Secrets can have a time to live (TTL) and be expired. (24h) • I was able to revoke quickly • Oh yeah, remember how I revoked that credential? We can do that in bulk operations.

10. !10 Things to try at home!
 For ASICS UI’s you’ll

    log in with a GitHub personal access token! • https://asics-services.us-east-1.staging.asics.digital/ • https://vault.us-east-1.staging.asics.digital/ (You won’t see much) • Consul Demo : asicsdigital/docker-consul-vault-demo • Reference Health check app using envconsul 
 https://healthcheck.staging.asics.digital/healthcheck
 
 https://asics-services.us-east-1.staging.asics.digital/ui/#/asics-services-staging-us-east-1/kv/healthcheck/
 
 
 https://github.com/asicsdigital/healthcheck • How Kickstarter uses Vault : https://kickstarter.engineering/ecs-vault-shhhhh-i-have-a-secret-40e41af42c28 • The Twelve-factor App : https://12factor.net/


11. Thank you! 
 
 What would you need to include

    these tools and methodologies in your next project?