Edge Orchestration & Federated Kubernetes Clusters - Open Networking Summit 2018
Se está descargando tu SlideShare.
×
Eche un vistazo a continuación
Recomendado
Más Contenido Relacionado
Presentaciones para usted (20)
Similares a Dynamic Azure Credentials for Applications and CI/CD Pipelines (20)
Más de Mitchell Pronschinske (20)
Más reciente (20)
Dynamic Azure Credentials for Applications and CI/CD Pipelines
- 1. © 2019 HashiCorp Dynamic Azure Credentials for Applications and CI/CD Pipelines SE Webinar - July 21st, 2020 Kawsar Kamal - Staff Solution Engineer (http://kawsark.gitlab.io) Brianna DeLuca - Sr. Field Marketing Manager
- 2. Agenda ● Introductions (Brianna) - 5 ● Vault overview (Kawsar) - 10 ● Demo (Kawsar) - 20 ● Q/A (moderated by Brianna) - 15
- 3. Objectives ● Business driver: move to cloud while maintaining high security posture.
- 4. A generational transition is underway Traditional datacenter “Static” Modern datacenter “Dynamic” Dedicated infrastructure Private cloud SYSTEMS OF RECORD SYSTEMS OF ENGAGEMENT Public multi-cloud +
- 5. The HashiCorp Stack A control plane for every layer of the cloud operating model Run Development Cloud Application Automation Connect Networking Cloud Networking Automation Secure Security Cloud Security Automation Provision Operations Cloud Infrastructure Automation vSphere Various Hardware Identity: AD/LDAP Terraform EKS / ECS Lambda CloudApp/ AppMesh Identity: AWS IAM Cloud Formation AKS / ACS Azure Functions Proprietary Identity: Azure AD Resource Manager GKE Cloud Functions Proprietary Identity: GCP IAM Cloud Deployment Manager
- 6. Vault: Manage Secrets and Protect sensitive data *slide from HashiCorp corporate overview High Trust Long-lived IP, clear network perimeter. Low Trust No clear perimeter Mixed identities: Cloud, VMs, Container, Serverless Maintained by HashiCorp Written in Go Cloud agnostic Opensource community
- 7. Vault Manage Secrets and Protect sensitive Data Secrets management to centrally store and protect secrets across clouds and applications Data encryption to keep application data secure across environments and workloads Advanced Data Protection to secure workloads and data across traditional systems, clouds, and infrastructure. 300+ Enterprise Customers 1M+ Monthly D/Ls 2T+ Transactions Trusted by:
- 8. How Vault works
- 9. Azure plugins Dynamically generates Azure service principals along with role and group assignments. Or new password will be dynamically generated for existing service principals. The azure auth method allows authentication against Vault using Azure credentials. Azure Auth Method Azure Secrets Engine
- 10. Dynamic credentials
- 11. Demo: Dynamic credentials
- 12. Terraform Enterprise Demo: Securing CI/CD Pipeline Version Control CI/CD Terraform IaC (*.tf) AKS Workspace
- 13. Key benefits ● Azure credentials are unique to each application instance - no password sharing. ● Cloud credentials have least privilege roles to limit blast radius. ● Cloud credentials are time bound so in case of a credential leak, the risk of it being valid is limited. ● Credentials can be audited to check which application instance retrieved a secret. ● Easy to revoke credentials if needed.
- 14. Q/A
- 15. Resources Demo repository https://gitlab.com/kawsark/vault-azure-demo Azure Secrets Engine https://www.vaultproject.io/docs/secrets/azure Blog post https://medium.com/hashicorp-engineering/onboarding-the-azure-secrets-engine-for-vault-f09d48c68b69?sour ce=friends_link&sk=59acf7d78362a48bf6cb039385776114 Azure Authentication Method https://www.vaultproject.io/docs/auth/azure Webinar Assets This will be emailed Vault 1.4 Blog post https://www.hashicorp.com/blog/vault-1-4/ Deploying Vault in Kubernetes https://www.vaultproject.io/docs/platform/k8s/helm/run Terraform for AKS https://github.com/terraform-providers/terraform-provider-azurerm/tree/master/examples/kubernetes Transform Secrets Engine wrapper https://github.com/kawsark/transform.py
