Kubernautes meetup II
0 likes141 views
The document contains an agenda for a Kubernautes II meetup in Vienna on October 18th, 2019. The agenda includes presentations about ME2Digital, Azure Kubernetes Service (AKS), Hashicorp Vault, and how the presenter's company uses Vault and Consul. The document also provides background information on ME2Digital, AKS, the history of Hashicorp, and how Vault works.
Kubernautes meetup II
- 1. Kubernautes II Kubernautes II Meetup Vienna 18.10.2019 1
- 2. Agenda • About ME2D • What’s AKS • Accelerate containerized application development • History of Hashicorp • Hashicorp Vault • Hashicorp Vault architecture • Hashicorp Vault Seal • Hashicorp Vault Setup • Policy-Authorization Workflow • How we use Vault and Consul 18.10.2019 2
- 3. About ME2Digital • Aleksandar Lazic since ~20 years in IT • Since 2003 active in haproxy community • Since 2006 active in nginx community => nginxpert • Since ??? in curl active community • Since 2015 in openshift community • Stay always curious • I like what I do and I do it with passion ;-) • I founded ME2Digital in 2017 18.10.2019 3
- 4. What’s Azure AKS • Azure Kubernetes Service • Launched Oct. 24th 2017 • Precursor was ACS (Azure container service) • More or less Vanilla Kubernetes ● HA Masters ● Nodes are Azure VM Machines ● “harden OS” • Registry own Product ACR (Azure container registry) • AKS SLA 99,5% “strive to attain” 18.10.2019 4
- 6. History of Hashicorp • Hashicorp founded 2012 by Mitchell Hashimoto and Armon Dadgar • Some Products ● Vagrant => Virtualization tool ● Packer => Image creation tool ● Terraform => Provisionig tool ● Consul => DNS and Key Value Server ● Vault => Secrets Management Server 18.10.2019 6
- 7. Hashicorp Vault • First release Apr. 28th 2015 ● https://www.hashicorp.com/blog/vault-announcement/ • Features ● Secrets Management (dynamic and static) ● Automatic TTL handling ● ACL’s and Auditing ● Multiple authentication methods ● Different versions available: OSS and Enterprise ● API Driven 18.10.2019 7
- 9. Hashicorp Vault Seal https://www.vaultproject.io/docs/concepts/seal.html • Sealed by default ● When a Vault server is started, it starts in a sealed state. In this state, Vault is configured to know where and how to access the physical storage, but doesn't know how to decrypt any of it. ● Shamir's secret sharing algorithm ● https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing ● Fist step is always to unseal the encrypted store ● Manual unseal ● https://www.vaultproject.io/docs/commands/operator/unseal.html ● Auto unseal ● https://www.vaultproject.io/docs/configuration/seal/azurekeyvault.html 18.10.2019 9
- 10. Hashicorp Vault Setup • Configuration via HCL (HashiCorp configuration language) • Secrets engines https://www.vaultproject.io/docs/secrets/index.html ● Key / Value ● PKI • Different Backends ● For example Consul which is a HA one ● Overview of backends https://www.vaultproject.io/docs/configuration/storage/index.html • Setup Policies https://www.vaultproject.io/docs/concepts/policies.html 18.10.2019 10
- 12. How we use Vault and Consul • Save users password in vault • Restrict access for applications • Get database access from vault • In combination with consul-template get app server access token • Create HAProxy configuration from consul services 18.10.2019 12
- 13. Contact Information's • LinkedIn: https://www.linkedin.com/in/me2digital/ • SlideShare: https://www.slideshare.net/AleksandarLazic4 • Docker Hub: https://hub.docker.com/u/me2digital/ • GitHub: https://github.com/git001 • Twitter: @ME2Digital • HP: www.me2digital.com • E-Mail: office@me2digital.com • Slack: aleks-me2digital 18.10.2019 13