Managing Application Secrets with Hashicorp Vault

Vault is used to manage application secrets and protect sensitive information using UI, CLI or HTTP API - i.e. tokens, passwords, certificates, encryption keys so on. Vault is a centralised place to store all secrets. What we will be doing in this example is, we will create a vault docker container, store some secrets in it and access them from outside with Vault’s HTTP API.

Vault components used

Our example makes use of Vault’s components listed below.

• Auth Methods > Token: The “Auth Methods” are responsible for authentication and assigning set of policies to a user. The “Token” auth method allows users to authenticate using a token, to create a new token, revoke secrets by token so on. It is available on /auth/token URI location.

• Storage > Filesystem: The “Storage backend” represents the location for the storage of Vault’s information. The “filesystem” storage backend stores data on the filesystem using a standard directory structure.

• Secrets Engine > Key/Value: The “Secrets Engine” handles how to store, generate and encrypt data. The “Key/Value” (kv) secrets engine stores secrets as in classic key/value fashion within the selected storage backend.

• Audit Devices > File: The “Audit Devices” keep a log of all requests and responses. The “File” audit device writes audit logs to a file.

• Policy: Everything in Vault is path based. A “policy” is like a user with set of access/usage permissions. E.g. A hello-world can interact with all the secrets stored under secret/hello-world path.

#docker #linux

What is GEEK

Buddha Community

50+ Useful Kubernetes Tools for 2020 - Part 2

Introduction

Last year, we provided a list of Kubernetes tools that proved so popular we have decided to curate another list of some useful additions for working with the platform—among which are many tools that we personally use here at Caylent. Check out the original tools list here in case you missed it.

According to a recent survey done by Stackrox, the dominance Kubernetes enjoys in the market continues to be reinforced, with 86% of respondents using it for container orchestration.

(State of Kubernetes and Container Security, 2020)

And as you can see below, more and more companies are jumping into containerization for their apps. If you’re among them, here are some tools to aid you going forward as Kubernetes continues its rapid growth.

(State of Kubernetes and Container Security, 2020)

#blog #tools #amazon elastic kubernetes service #application security #aws kms #botkube #caylent #cli #container monitoring #container orchestration tools #container security #containers #continuous delivery #continuous deployment #continuous integration #contour #developers #development #developments #draft #eksctl #firewall #gcp #github #harbor #helm #helm charts #helm-2to3 #helm-aws-secret-plugin #helm-docs #helm-operator-get-started #helm-secrets #iam #json #k-rail #k3s #k3sup #k8s #keel.sh #keycloak #kiali #kiam #klum #knative #krew #ksniff #kube #kube-prod-runtime #kube-ps1 #kube-scan #kube-state-metrics #kube2iam #kubeapps #kubebuilder #kubeconfig #kubectl #kubectl-aws-secrets #kubefwd #kubernetes #kubernetes command line tool #kubernetes configuration #kubernetes deployment #kubernetes in development #kubernetes in production #kubernetes ingress #kubernetes interfaces #kubernetes monitoring #kubernetes networking #kubernetes observability #kubernetes plugins #kubernetes secrets #kubernetes security #kubernetes security best practices #kubernetes security vendors #kubernetes service discovery #kubernetic #kubesec #kubeterminal #kubeval #kudo #kuma #microsoft azure key vault #mozilla sops #octant #octarine #open source #palo alto kubernetes security #permission-manager #pgp #rafay #rakess #rancher #rook #secrets operations #serverless function #service mesh #shell-operator #snyk #snyk container #sonobuoy #strongdm #tcpdump #tenkai #testing #tigera #tilt #vert.x #wireshark #yaml

Securing your secrets using vault in Kubernetes — Part 2

In Part 1 of this series, we have learned how to Install Vault-k8s and enable the Kubernetes Auth Mechanism. In this tutorial let’s learn how automatically inject these secrets into our Kubernetes Deployments/Pods.

I have used Helm to create the manifests files. Helm charts are easier to create, version, share, and publish. Copying-and-Pasting the same manifests across multiple environments can be avoided and the same charts can be re-used by maintaining a different final overrides file.

#hashicorp-vault #kubernetes #vault-k8s #vault #kubernetes-secret

Securing your secrets using vault-k8s in Kubernetes — Part 1

Kubernetes secrets let you store and manage sensitive data such as passwords, ssh keys, Tls certificates, etc. However, there are few limitations to using the build-in secret management for Kubernetes. So, we often tend to rely on some third-party tools to handle secret management. One such tool is HashiCorp Vault. In this series of articles let’s learn to secure our secrets using HashiCorp Vault-k8s in Kubernetes.

#vault #kubernetes #hashicorp-vault #vault-k8s #kubernetes-secret

How to Manage Terraform Secrets with Akeyless Vault

Terraform is an “Infrastructure as a Code” (IaC) platform by Hashicorp that helps design and deploy virtual or cloud infrastructure using a high-level configuration language. With Hashicorp Configuration Language (HCL) based configuration templates, Terraform enables building, remodeling, versioning, and reuse of infrastructure components; forming the foundation of a full infrastructure lifecycle.

To maintain security, Terraform supports:

• Plain text secrets by leveraging native environment variables
• Encrypted secrets in a key protected file
• Integration with a secrets management platform like Akeyless Vault

For enhanced security across Terraform configurations, Akeyless Vault administers on-demand access keys instead of using vulnerable plaintext secrets. With the ability to attribute secrets across multiple third-party platforms (AWS, GCP, Private Cloud, etc.) and used within a Terraform instance, Akeyless acts as a consolidated source for provisioning secrets through your infrastructure.

Benefits of Using a Centralized Secrets Management Solution

With a centralized secrets management platform like Akeyless Vault, Terraform secrets are unified and secured further. Embracing such a platform makes it operationally simpler to maintain compliance and generate access usage visibility.

**Operation-wise: **With a secrets management platform like Akeyless Vault, Terraform leverages the benefit of maintaining a remote-state single source of secrets rather than referring multiple keys for third-party platforms within a single instance.

**Audit-wise: **A centralized secrets manager permits a simple amalgamated audit of secrets. Instead of auditing multiple secret repositories, Akeyless acts as thesingle audit channel for all application secrets, thereby ensuring easy audit compliance.

**Functionality-wise: **Similar to other DevOps tools, Terraform lacks the creation of Just-in-Time (JIT) secrets. With JIT secrets, a user can achieve on-demand access to a Terraform state’s resources based on his access privileges. To solve this, Akeyless generates dynamic secrets on-the-fly that expire on their own, thereby achieving a Zero-Trust implementation.

**Security-wise — **Through Akeyless Vault, relevantly scoped and short-lived secrets are generated Just-in-Time, preventing abuse and theft of access privileges.

How to Fetch a Secret with Akeyless Vault in Terraform

The Akeyless Vault leverages the vault provider to provision and fetch secrets on the fly. Let’s proceed with the simple steps involved in fetching secrets from Akeyless Vault into Terraform.

Prerequisites

1- Sign in or create an account with Akeyless (it’s free) by accessing the following URL: https://console.akeyless.io/register

#terraform #hashicorp #vault #code #secrets

Hashicorp Vault for secret management in Kubernetes Cluster

INTRODUCTION

Hashicorp Vault provides all of the power and security of Vault, without the complexity and overhead of managing it yourself. It also provides various authentication methods like AWS, Kubernetes, Tokens, OIDC, Azure Active Directory, etc. to provision and dynamically injects secrets in infrastructure like EC2 Machine, Kubernetes pods, etc.

HashiCorp Cloud Platform features a web user interface to deploy and manage resources, including HCP Vault deployments in AWS. However, If you prefer to automate HCP Vault deployment, one recommended approach is to use HashiCorp Terraform with the HCP provider.

What we will cover:

In this post we will cover the following:

1. Vault installation with High availability configuration in Kubernetes cluster using terraform.
2. Enabling Kubernetes authentication in Vault using terraform.
3. Inject Secrets in running pod dynamically.

Pre-requisites

1. Kubernetes cluster up and running
2. kubectl, terraform, helm, vault CLI installed
3. some basic knowledge of terraform, kubectl and vault commands. (I will provide a link in end for reference)

#hashicorp-consul #terraform #hashicorp-vault #automation #kubernetes