Running Vault as a Service on HCP
מוזמנים לצפות בסרטון המסביר על הרצת HashiCorp Vault כשירות מנוהל בענן.
Vault הוא מוצר המווה כיום (דה-פקטו) סטנדרט להגנה על סודות ארגוניים.
הסרטון הוקלט במסגרת כנס HashiConf.
לנוחיותכם הוספנו גם את הטקסט המלא מתחת לסרטון.
לצפיה (14 דקות):
Welcome to HashiConf Digital 2020 and welcome to the Vault on HashiCorp Cloud Platform (HCP) presentation.
I'm Rand Fitzpatrick on the product management team here at HashiConf, and I'll be joined a little bit later by
Thor Hansen on the engineering team to walk you through a bit of HashiCorp cloud platform's Vault offering.
So we're all relatively familiar with Vault, we've got a world-class tool for really helping you manage that transition from static infrastructure and dynamic infrastructure, and provide identity-based access and security
that's necessitated to really secure that transition and the changing ephemeral workloads that we demand.
so HashiCorp delivers an entire stack of tools to help with these workloads across the cloud. Everything from Terraform, Vault, Consul and Nomad, and these all compose extremely well across the various workflows wherever you might use them in whichever cloud.
Vault however has been able to offer us a huge degree of flexibility and capability in making sure that you can
secure your applications as you scale-out and build your environment in a more robust and secure way.
HashiCorp Vault is the world-leading solution for secrets management which is its most well-known capability for managing all of your secrets, credentials everything from PKI and other secure data that you would want to distribute across your application stack.
It's also one of the world-leading solutions for data encryption with transit and transform, so all of your encryption workloads, both form preserving and otherwise enabled by Vault within your application path, and also broadly identity-based access to help secure all of your machine-to-machine connections using trusted identities and secure and auditable relationships.
Generally extending this it's the one machine authorization and authentication point to really connect all of your systems in a zero-trust world through identity-driven control.
Using Vault has always been a huge boot both on the open-source and enterprise sides. But sometimes it can take a little bit of effort to get up and running and get it customized for your specific use case.
HCP Vault or HashiCorp Cloud Platform Vault is entering private beta today to help get you directly to day zero of realizing value letting HashiCorp manage the operations and complexity to help you scale this out and get it used in the topologies that suit your application best.
What is HashiCorp Cloud Platform?
I know we've heard about this earlier today as well as earlier in the year when hcp Console was first announced but the true vision is that it takes care of the push-button deployment, infrastructure management, and multi-cloud workflows that are going to help you extend Hashicorp's tools where are wherever you are in terms of your cloud deployment journey and scale with you as you grow.
So push-button deployment, all we need to do to instantiate a Vault cluster for use at this point is come into HCP once we've got an HVN which is the HashiCorp Virtual Network just instantiate a cluster and within 10 minutes usually faster we will have spun up a full production scale Vault cluster ready for your use. That infrastructure will be fully managed not only will we have its current state we'll have its logs, we will have its status, the entire SRE teams for
HCP will be monitoring and making sure that it's up to date and keeping it up with patches and version progression,
so you're always using the healthiest and most well-secured version of Vault.
And in terms of really supporting those multi-cloud workflows hcp is going to have the same set of extensible capabilities and well-managed primitives that work wherever you are.
Now right now HCP is primarily on AWS but we're rapidly expanding and you'll be able to deploy this wherever you need your workloads,
so on top of that hcp platform we're bringing you hcp Vault which is really our best attempt to offer you Vault ready to go, ready to securely support your dynamic infrastructure.
We're going to get a little bit into the specifics before I hand it off to Thor about how we're actually bringing this to you in a way that's going to support your infrastructure. So I mentioned earlier that we've got HVN these are the HashiCorp wrapper over an isolated network and compute environment we support a fully replicated Vault
cluster with integrated storage and replication within that environment, and that environment is owned entirely
by the end-user. The only things running in there end up belonging under an account for that end-user and it's a
very secure space.
The control plane for the HashiCorp cloud platform will exercise command actions that can help reconverge and recover and always make sure that your systems are in a well-running state, and we can scale out from here,
to make sure that as your capacity needs grow we can increase the horizontal and vertical scalability of these clusters to meet both your storage needs your throughput needs and your processing needs, depending on how your workloads are right across static secrets dynamic secrets, and encryption type workloads.
Also in these environments are secure snapshots and restore capabilities and audit logging to make sure that as you go through your Vault life cycle we can always make sure that you have the data that you need to recover as well as maintain your audibility and data retention requirements.
As you connect this with your infrastructure we offer a number of secure pathways everything from the current modality of VPC peering to more direct connections through VPNs and other network topologies this is to make sure that wherever you use your infrastructure HCP Vault can be there to support you, and as I mentioned we really want to focus on getting you to day zero value so instead of working to right-size your cluster working to make sure that your storage and backup workflows are well-executed, you can really just instantiate a Vault cluster; export some environment variables and
through the Vault client immediately get up and running and connected to your Vault cluster and start using it.
Vault in Production
So what does this allow us to do? instead of worrying about all the operations you can jump directly to your production needs you can start focusing on what it means to develop against Vault and get it integrated into your environment it can help you focus on understanding what off methods and secrets engines and policies are going to be useful in supporting your application environment, rather than focusing on the operations work up front.
Likewise, we'll offer lightweight developer services to help you test with Vault learn Vault and integrate it into your applications without having to impact your full-scale production clusters. All of these available dynamically within your HVN on HCP.
Additionally, you'll be able to rely on HCP for all of that resilience and scale as well as best of breed hardening to
help you keep your systems orchestrated and healthy so you can worry about what your application is meant to do rather than the care and feeding of Vault itself.
Enable the future
Finally, we help enable the future with secure integration. HCP makes it easier to stay up to date with new versions of all as they go, updating seamlessly behind your application façade, as well as being able to take advantage of additional capabilities that we build onto the platform as HCP grows and develops over time.
To dive into a little bit more of the detailed usage of HCP Vault as we're rolling it out today, going to hand it off to Thor Hansen.
Demo time (08:40)
Hi, I'm Thor Hanson. I'm an engineer here at HashiCorp. I'm going to give you a demo today on Vault on HCP. what we're going to do is we're going to create a virtual network we're going to create a Vault cluster inside that network then we're going to use an EKS cluster on AWS, and we are going to inject secrets into a pod that we create on that cluster – so let's dive in.
So here we have HashiCorp Cloud Platform. We'll be walking with an overview page – where we can see setup steps, as well as other things that we can create on the platform like Consul.
We're going to go and create a virtual network. We can select a name; a region a CIDR Block, and then we'll create the network. This will take a couple of minutes to initialize but once it is we'll have our HVN as we call it.
The next step we can do with our HVN is to create a Vault cluster inside the network, so go ahead and click that.
Then we can name our cluster; we can put it in a region and then we can click the blue button to just simply create the cluster inside our HVN. That will take a couple minutes but then we'll be presented with our Vault cluster.
We have our Vault configuration where we can generate a token get the address of the cluster we can see the version, the configuration options we'll have getting started with Vault section where people who are newer to Vault can learn how to use it. We can see the cluster stable and then the assigned network that we created the cluster inside.
so after all that, what we can do next is we'll go back to our HVN and we will select peering connections. This allows us to peer the HVN with a AWS VPC, so what we'll do is we'll copy in our AWS VPC information into this peering connection helper. We'll grab the account ID; the VPC ID ; the region that the VPC is in, and then we'll also copy in the VPC CIDR block.
Then we'll create click create the connection you'll see that this goes from creating to pending acceptance so that means we just have to hop on over to our AWS control panel, into the peerings tab and we can go and click accept request.
We can check to make sure that all the settings are correct and that this is the connection that we established then we can click yes accept. Once that's been created that means now that our vpc and the hvn are appeared so we can go back in and see that the connection is now active.
The last step is to go back to our VPC and create a route table. This route table will allow us to map a CIDR Block from the vpc into our HVN, so we'll go ahead and create one of those. Give it a name and then we'll go back into the panel and we'll create a route for it.
Let's go into the routes tab we'll hit edit routes, then we can add a new route which will be the HVN's HPC CIDR block so we'll copy out that CIDR block; use that as our destination, and then as the target we'll use the peering connection that we've created.
This should auto-populate by was there it is so we'll click accept now we've created a route from our VPC to our HVN, and vice versa. This will allow us to access the Vault cluster from our VPC.
Last thing to do, is we can go back to our Vault cluster and we'll generate an admin token. so this will generate a token we copy that out and this will allow us to access the Vault cluster.
So we'll go back to our EKS cluster in our VPC we'll create a Vault namespace, and then we'll create a couple of Kubernetes objects like a service account a cluster role and a cluster role binding. these will allow us to configure the Kubernetes off backend in Vault to access Vault from Kubernetes so create those things the next thing we're going to do is we're going to copy out the access token that's created under the service account, we'll use this
access token when we configure the Kubernetes auth endpoint. so here you can see we've successfully grabbed the jwt off token.
So the next thing that we are going to do is we are going to create a pod that we can exec into to run the Vault CLI. If you recall we had to peer our Vault our HVN with this VPC, so that's the only way that we're able to access the Vault cluster so we're going to create a container that we can exec into and then we'll be able to set up our Vault cli to access our Vault cluster that's been paired with this vpc. so you'll see here we'll set up the Vault address we'll set up the Vault namespace we're going to import some of the information that we copied out from Kubernetes earlier like the jwt as well as the ca certificate from EKS. These things aren't for the Vault cli but they'll be helpful when we set up our kubernetes auth back end so now we're going to log in using the token that we copied from the control plane webpage to begin with now that we're logged in, we can enable the Kubernetes auth backend. Now that's enabled we need to configure it we'll use the jwt and the ca search that we talked about before and then we'll create a role that gets assigned when our future app will log in under that auth method, and then we'll enable the secrets engine and we'll write a little HashiCorp secret to that secrets engine that our app can get injected into it later. and then lastly we'll create a role that will allow us to access that secret in Vault. Great! so now we've done all those things the last thing we need to do is now set up our Vault agent injector we'll use helm to do this we'll use the HashiCorp helm resource we will enable or we'll install it via helm setting our Vault external address to be in our hcp Vault cluster
and then last we have our application you'll notice in the annotations of this application that it has directives on
how to grab secrets where to grab them from and where to store them. once we create that we can see that the
the app is now running which means a secret has successfully been injected into that pod. and so then we can exec into that pod and look uh to see if our secret has been successfully copied into a file there so we'll just cat it out at Vault secrets slash kv-secret and there we can see hashicomphrox
So that's been a really quick demo on how we can quickly inject secrets into an eks cluster by simply peering a vpn connection and then treating the Vault on hcp like we would any other Vault that we had running elsewhere
this can be really powerful because it doesn't require you as the end-user to have to set up Vault to manage it to deal with scaling it out or scaling it down our whole team constantly monitors this we have long-running workflows that keep it constantly updated keeping constantly going and so we're really excited for you guys to try this out and to tell us what you think.