![Page 1: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/1.jpg)
Distribúcia SSL certifikátov
@RobertVojcik
![Page 2: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/2.jpg)
Ahoj !
● Systems Engineer & Teamleader
● Praca pre Livesport od 2009
● in-house od 2012
● Livesport
○ 400+ projektov / domén / certifikátov
○ 85 M užívaťeľov
@RobertVojcik2
![Page 3: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/3.jpg)
Čo nás čaká ?
● Úvod do problematiky● Architektúra riešenia● Best Practice● Server Deployment● Kubernetes Deployment
3
![Page 4: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/4.jpg)
Prečo ?
● Kupované certifikáty● Let’s Encrypt - Wildcard certifikáty
○ DNS-01 Challenge○ Cloud/CDN/Anycast
● Vlastné CA● Jednotný spôsob distribúcie pre DEV i OPS
4
![Page 5: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/5.jpg)
Požiadavky ?
API
SECU
RITY AUTH
5
![Page 6: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/6.jpg)
Security & TLS
● SSL/TLS● Autorizácia klienta● Access Roles● Secure Backend● Sec. & Production Concepts● CA Management
6
![Page 7: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/7.jpg)
Hľadanie a kombinacie (NIH Syndrome)
Web + Encrypted Storage
Custom API + Encfs
Encrypted DatabasegRPC
Certificate Vault
Secrets Manager
Envoy ManagerAWS Secrets Manager
7
![Page 8: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/8.jpg)
HashiCorp
www.hashicorp.com8
![Page 9: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/9.jpg)
HashiCorp - Vault
9
![Page 10: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/10.jpg)
Východzí stav po štarte
● Spustený API server○ Základna komunikácia○ Stav Vaultu
● Sealed barrier alebo ?...● Čaká na zadanie Key shares
○ Sučasť security konceptu○ Vieme čo su key shares ?
10
![Page 11: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/11.jpg)
Seal / Unseal
11
![Page 12: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/12.jpg)
Key Shares ?
Key Shares Master Key Encryption keyShamir’s secret
sharing algorithm
12
![Page 13: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/13.jpg)
Shamir’s Secret share algorithm
● Secret “123”● Key Shares “5”● Key Share limit “2”
123 -
13
![Page 14: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/14.jpg)
Autentifikácia
14
![Page 15: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/15.jpg)
Možnosti
● AppRole● AWS● Azure● GoogleCloud● JWT/OIDC● Kubernetes (ServiceAccount)● LDAP● Radius
https://www.vaultproject.io/docs/auth
15
![Page 16: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/16.jpg)
AppRole
● Nieco ako Username & Password○ Role-ID (eg. adf93b20-6e8c-3b19-c3ce-c76f841054af )○ Secret-ID (eg. f3928c22-b30e-b1bf-091a-2cfe3df72172 )
● Vytvarame Role s priradenou Policy ● Jedna role môže mať viac Secret ID
16
![Page 17: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/17.jpg)
Best Practices
● Role-ID a Secret-ID distribuovať samostatne● Do Configuration Managementu - Secret-ID
○ jednoducha rotacia
● Používať tokeny s krátkou životnosťou● Využívať Token Renew behom deploymentu
○ Neautentifikovať sa pomocou AppRole zbytočne často
Tokeny majú široké možnosti nastavení, idealne je ich využiť a neísť najjednoduchšou cestou.
17
![Page 18: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/18.jpg)
Best Practices
18
![Page 19: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/19.jpg)
Secrets Engine
19
![Page 20: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/20.jpg)
Typy secret enginov
● KV / KV2● PKI● Databases● SSH
○ Signed Certs○ OTP
https://www.vaultproject.io/docs/secrets/
20
![Page 21: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/21.jpg)
Deployment certifikátov
21
![Page 22: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/22.jpg)
Server Deployment
● Puppet CM● Deploy Environment
○ Scripty○ Configy○ Systemd Unit○ Systemd Timer
● Deploy Script○ Python - HVAC
22
![Page 23: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/23.jpg)
23
/ rvojcik / vault-certificate-deploy
![Page 24: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/24.jpg)
Kubernetes Deployment
● Tuenti Secrets Manager, https://github.com/tuenti/secrets-manager
● Gitlab CI/CD Deployment,
https://gitlab.com/ls-tech-templates/automation/k8s-secrets-manager
○ Zaobali Tuenti Manager○ Zjednodusi config pre vyvoj○ Deployne Secrets Manager do Kubernetesu
24
![Page 25: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/25.jpg)
Kubernetes Deployment
25
![Page 26: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/26.jpg)
Production
● Non root process● No swap / MLock● Off Coredump
○ ulimit -c 0○ RLIMIT_CORE=0
● Root tokeny - len disaster recovery● https://learn.hashicorp.com/vault/op
erations/production-hardening
26
![Page 27: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/27.jpg)
Let’s Encrypt Support
27
![Page 28: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/28.jpg)
END OF TIME
● Hashicorp - Zaujímavé tooly
● Máme rok 2019, pozor na NIH syndrome
○ niekedy je potreba hlavne zmeniť zabehnutý spôsob myslenia
● Vault Server
○ uložisko citlivých dát○ Široké možnosti použitia○ Vlastné CA○ LinuxDays WorkShop: 16:00, 345
● Let’s Encrypt - dobré podporiť
● github.com/rvojcik
28
![Page 29: Distribúcia SSL certifikátovºcia_SSL_certifikátov.pdf · Zaobali Tuenti Manager Zjednodusi config pre vyvoj Deployne Secrets Manager do Kubernetesu 24. Kubernetes Deployment](https://reader033.vdocumento.com/reader033/viewer/2022051812/602aae79a5fd6055bd6b499c/html5/thumbnails/29.jpg)
Otázky ? Pár odkazov na záver
WorkShop https://github.com/ rvojcik / vault-workshop-beginner
Deploy Certs https://github.com/ rvojcik / vault-certificate-deploy
Kubernetes
http://bit.ly/ vault-agent-k8s
http://bit.ly/ vault-k8s-present
http://bit.ly/ vault-dynamic-secrets
29