Solutions Engineering Hangout: A Frictionless Path to Dynamic Secrets for Cloud or Legacy Apps with Vault
There are several methods for replacing your applications' secrets with Vault dynamic secrets. HashiCorp solutions engineer Kawsar Kamal will cover several in this demo.
Speakers
Kawsar KamalStaff Solutions Engineer, HashiCorp
You've installed Vault, but how do you find and integrate secrets into it once it's set up? HashiCorp senior solutions engineer Kawsar Kamal has a few answers.
This demo will introduce you to APIs and tools such as Envconsul and Consul Template, which enable frictionless integration with applications. What they can do is inject secrets into the environment that your applications are already looking at. If they have a configuration file that's sitting on disk, what you can do is set up these tools to automatically fetch the credentials that they need. You create a template, it throws them on the file system that the app is already looking at, and then you can run an orchestration command thereafter.
This demo will also show you an application deployed on AWS with access to a database service and Kawsar will discuss alternative methods for secrets management integration, such as the Vault Agent and CI tool.
Outline
00:00 — Introduction
23:25 — Q&A
Additional resources
Vault docs: - Vault Secret Engines: https://www.vaultproject.io/docs/secrets/index.html - Mongo secret engine: https://www.vaultproject.io/docs/secrets/databases/mongodb.html - Vault Authentication Methods: https://www.vaultproject.io/docs/auth/index.html - AWS Authentication Method: https://www.vaultproject.io/docs/auth/aws.html Resources: - Seth Vargo Blog on Vault integration patterns - Repo for demo Terraform and Packer - Provisioning steps - This is where Mongo DB Secrets Engine is configured - This is where AWS Authentication Method is configured - Repo for product service - Repo for listing service
Questions answered
Using Envconsul / Consul Template, how do you inject the new secrets into a legacy app dynamically as the lease expires?
What is the difference between Envconsul & Consul Template?
Under what circumstances does Envconsul restart the application? If restarting my service is prohibitive, it seems I should use the API directly instead of Envconsul.
How many secret calls can a Vault node handle per second? Or per min?
Which data sources does Vault support in addition to MongoDB?
Could you describe how you configure Vault to manage MongoDB credentials?
How does it work with apps that use data connection pooling?
How do you manage automatically regenerating and rolling out TLS certificates for legacy apps (Apache, NGINX, Java, etc.) using Vault PKI?
Can it be done 100% through Vault or is something like Consul Template necessary?
How does the service/app authenticate to Vault to obtain the dynamic credentials?
Dynamic secrets require Vault support for a particular service (e.g. MongoDB). What do I need to create to handle my own dynamic secrets integration with an internal, proprietary service?
Do Consul Template and Envconsul support .NET web applications and/or Java web apps? (Windows environment)?
What (Linux) capabilities does Envconsul need to work?
