Bulletproof Microservices with Spring and Kubernetes
Download as PPTX, PDF0 likes451 views
The document is a presentation about creating resilient microservices using Spring and Kubernetes, focusing on secure deployment practices. It covers topics like enabling TLS, OAuth 2 authentication, mutual TLS, and automating security with service mesh technologies. The presentation includes demos on implementing these concepts, emphasizing practical steps for securing applications.
Bulletproof Microservices with Spring and Kubernetes
- 1. Bullet-proof Microservices with Spring & Kubernetes September 2–3, 2020 springone.io 1
- 2. About us 2 ● Bella Bai ○ Yuxin Bai ○ 白玉欣 ● Servant of two rescued kitties
- 3. About us 3 ● Oliver Hughes ○ Ollie ○ @olliehughes82
- 4. 4 What is a Bullet-proof microservice?
- 5. 5 🧑 💼 As developers, we want… 💻 🍕🎮
- 6. Pod 6 Deploying apps to Kubernetes Pod Animal Rescue Spring Boot App Container Image Registry Partner Adoption Center Node.js App Container ReplicaSet Deployment ReplicaSet Deployment Service Service 👩 🧑 💻
- 7. Demo - Deploy Animal Rescue
- 9. Demo - Add Basic Auth
- 10. So, back to this diagram... 10 🧑 💼 Username Password ✓
- 12. Add a layer in between! 12 🧑 💼
- 13. Demo - Use Ingress
- 14. Wait, HTTP is not encrypted... 14 🙅 ♀️ Username Password 🧑 🧑 ♀️
- 15. Need to enable TLS, but how? 15 ● Pick a Certificate Authority (CA) ● Manage certificates (issue/update/renew) ● Enable TLS on servers Or Ingress
- 16. ACME HTTP01 Challenge 16 🙋 Need a cert for animalrescue.online plzzzz.
- 17. ACME HTTP01 Challenge 17 🙆 Here is a token, Serve it up with your server, I will check later. Token
- 18. ACME HTTP01 Challenge 18 🧑 💻 📄 with token
- 19. ACME HTTP01 Challenge 19 💁 Ready for action!
- 20. ACME HTTP01 Challenge 2 0 💁 Retrieve and verify the file from http://animalrescue.online/.well- known/acme-challenge/<TOKEN>
- 21. ACME HTTP01 Challenge 21 🙇 I trust this account. I will grant a valid cert - On their next request.
- 22. ACME HTTP01 Challenge 2 2 🧑 Retrieve cert
- 24. Demo - Enable TLS
- 25. Now the communication is secured 2 5 💁 Username Password 🙈
- 26. But I want to use my GitHub account! 2 6 🙅 ♀️ Username Password
- 27. OAuth 2 2 7 🙋 ♀️
- 28. Demo - OAuth 2 with oauth-proxy
- 29. But OAuth2 is for users, what about machines? 2 9 🧑
- 30. Clients can prove their identities too! 3 0 🧑 ⚖️ Private Certificate Authority IssueIssue Mutual TLS
- 31. How to mTLS in k8s? 31 Create CA certificate with a self-signed issuer Create CA issuer with the created CA certificate Issue certificates with the created CA issuer Mount certificates on app deployments Update apps to use the mounted certificate for mTLS Step by step guide: https://blog.jetstack.io/blog/securing-mysql-with-cert-manager/
- 32. Autocert makes mTLS easier 3 2 Create CA certificate with a self-signed issuer Create CA issuer with the created CA certificate Create certificates with the created CA issuer Mount certificates on app deployments Update apps to use the mounted certificate for mTLS
- 33. Demo - mTLS with Autocert
- 34. A few notes about Autocert 3 4 ● Pros: ○ Certificates are generated and only available within the pod ○ Easy to set up and run - just one annotation needed ○ Perfect for apps that already know how to handle mTLS ● Cons: ○ Need to add some code to: ■ Load the certs and keys ■ Watch for file changes on cert rotation ○ No fine-grained access control
- 35. Automating mTLS with Service Mesh 3 5 Tanzu Service Mesh Istio Tanzu Service Mesh: https://docs.vmware.com/en/VMware-Tanzu-Service-Mesh/services/concepts-guide/GUID-9E3F1F90-4310-415B-98C8-C06E59B8A5EE.html Traefik: https://docs.traefik.io/https/tls/#client-authentication-mtls Istio: https://istio.io/latest/docs/concepts/security/#mutual-tls-authentication Linkerd: https://linkerd.io/2/features/automatic-mtls/
- 37. Bella Bai LittleBaiBai bellalleb_bai Oliver Hughes @olliehughes82 #springone@s1p Stay Connected.