On hybrid platform (cloud and on premise), Renault and D2SI worked on a simple and secure solution to implement a centralized secret management using Vault.
In this talk, Julien will explain how in close collaboration with Mehdi and the team at D2SI have implemented a way to consume secrets in the CI / CD chain with different mechanisms to provide and share secrets in containers and pipelines.
3. RENAULT PRESENTATION
3
June 25-27
Hashidays Amsterdam
Renault and Nissan have been
strategic partners since 1999,
forming a one-of-a-kind alliance
in the automotive world.
Arsonneau julien
Devops Engineer
6. CONTEXT
6
# G L O B A L S O L U T I O N S
O F S E C R E T S
# S E C U R I T Y
A P P r o l e
R a d i u s
L d a p
# M U LT I E N V I R O N M E N T
P u b l i c C l o u d / P r i v a t e C l o u d
June 25-27
Hashidays Amsterdam
# F O R P I P E L I N E
G i t l a b
J e n k i n s
# A P P W I T H C O N TA I N E R
E C S
S w a r m
# D E V O P S S E C R E T S
U n b o a r d i n g / t e r r a f o r m
9. PROJECT LIFE CYCLE
9
4
P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E
June 25-27
Hashidays Amsterdam
10. PROVISIONING
10
PIPELIN E A C TOR S
OPERATOR
RADIUS
Authentication
Policy to create or update
secrets
ORCHESTRATOR
TOKEN
Authentication
Policy to create only
Secret ID for specific
project
PROJECT
Role IDSecret ID
TOKEN
Policy by project
environment
(dev, prod)
APPROLE
Authentication
P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E
June 25-27
Hashidays Amsterdam
11. PROVISIONING
11
POLIC IES & R OLE ID
PROJECT
OPERATOR
3. Adjust the policies
& path for Project need
ORCHESTRATOR
5. Terraform plan
& apply inside
CI/CD
P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E
June 25-27
Hashidays Amsterdam
12. PROVISIONING
12
PR OJEC T POLIC Y FOR D EV
/secret
P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E
/secret/projects
/secret/projects/coachdevops
/secret/projects/coachdevops/dev
/secret/projects/coachdevops/dev/keys/*
/secret/projects/coachdevops/
dev/db/adm
/secret/projects/coachdevops/
dev/db/rw
/secret/projects/coachdevops/
dev/db/r
/secret/projects/coachdevops/dev/keys /secret/projects/coachdevops/dev/db/secret/projects/coachdevops/dev/idp
June 25-27
Hashidays Amsterdam
13. June 25-27
Hashidays Amsterdam13
PROVISIONING
P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E
Terraform.tfvars
Variables.tf
St ep 5: Plan and apply Terraf orm f iles in C I/C D
14. TOOLS UPDATE
14
P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E
June 25-27
Hashidays Amsterdam
Specific Policy to
create or update
Approle
Call script
Tools
15. HUMAN UPDATE
15
P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E
June 25-27
Hashidays Amsterdam
UI
Product
owner,DBA,
Storage admin,
etc
Radius/LDAP
16. HUMAN UPDATE
16
P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E
June 25-27
Hashidays Amsterdam
DEMONSTRATION
/secret
/secret/projects
/secret/projects/coachdevops
/secret/projects/coachdevops/dev
/secret/projects/coachdevops/dev/keys/*
/secret/projects/coachdevops/
dev/db/adm
/secret/projects/coachdevops/
dev/db/rw
/secret/projects/coachdevops/
dev/db/r
/secret/projects/coachdevops/dev/keys /secret/projects/coachdevops/dev/db/secret/projects/coachdevops/dev/idp
/secret/projects/coachdevops/dev/key
By UIBy script
17. APP ROLE DEFINITION
17
June 25-27
Hashidays Amsterdam
P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E
1. Create policy and role for apps
2. Get Role ID
3. Generate a new Secret ID
4. Deliver Role ID
5. Deliver Secret ID
7. Return a token
ADMIN
APP
18. TRANSITION
18
June 25-27
Hashidays Amsterdam
P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E
Wrap with
RoleId + Role Name
Define variables
on ci tools
19. June 25-27
Hashidays Amsterdam19
getSecretID
2
Set Role
Name
3
Authenticate with
Orchestrator Token
4
Deliver Wrap
with
Secret ID
5Get
Wrap
6
Set Role ID
Set Secret ID
7
Authenticate With
Role ID + Secret ID
8 Deliver
Secrets
CI / CD
Pipeline
PROJECT
TEAM
1
Launch Job /
Pipeline
P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E
20. DELIVERY OF GETSECRETID
20
June 25-27
Hashidays Amsterdam
P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E
CRONJOB OPS
AUTHENTICATE
WITH OPS TOKEN
OR APP ROLE
GENERATE ORCHESTRATOR TOKEN
21. TH A N K YOU !
H a s h i D a y s A m s t e r d a m
Notas del editor
0,10
1’40
Julien
1’
5 Billions euros
10,6 Millions
Aliance
3,10
Mehdi
1’30
6’10
Julien
3’
7’
Mehdi
1’
8’
Mehdi
11’
Mehdi
3’
2 tokens pour les projets (prod, non prod)
14’
Mehdi
3’
16’
Mehdi
2‘
Retiré des paths
-> donné aux projets -> Visu graphique