S P R I N G C L O U DC O N F I G &

V A U L T

C H R I S TO P H L U D W I GH A U F E G R O U P, F R E I B U R G

J AVA U S E R G R O U P F R E I B U R G , 2 4 . 1 0 . 2 0 1 7

AGENDA

• What’s the noise about app configuration?

• Spring Cloud Config

• HashiCorp Vault

– Generic Secrets

– PKI: Vault as Certification Authority

– Client Authentication

• Usage Scenarios

• Extensions in Haufe Projects

– Vault-based Config Server Discovery (or: Where do I get the config server credentials

from???)

– Keystores for client & server configurations in Vault

E X T E R N A L I Z E DS P R I N G A P P L I C A T I O N

C O N F I G U R A T I O N

SPRING APPLICATION CONFIGURATION

– Environment Variables

– Command Line Arguments

– Property Files

1 APPLICATION – MANY DEPLOYMENTS

Git

Developer PC

CI Environmen

t

Performance, Load, and Stress Test Enviroment

Production

Enviroment

Branch A Integration Environmen

t

Branch B Integration Environmen

t

Demo Environmen

t

TWELVE FACTOR APPSI. Codebase

One codebase tracked in revision control, many deploys

II. Dependencies

Explicitly declare and isolate dependencies

III. Config

Store config in the environment

IV. Backing services

Treat backing services as attached resources

V. Build, release, run

Strictly separate build and run stages

VI. Processes

Execute the app as one or more stateless processes

VII. Port binding

Export services via port binding

VIII. Concurrency

Scale out via the process model

IX. Disposability

Maximize robustness with fast startup and graceful shutdown

X. Dev/prod parity

Keep development, staging, and production as similar as possible

XI. Logs

Treat logs as event streams

XII. Admin processes

Run admin/management tasks as one-off processes

Source: https://12factor.net/

S P R I N GC L O U D C O N F I G

CONFIG SERVER CONCEPT

• Manageable # Environment Variables:

– Profile Names (Env ID, Feature Selectors)

– Config Server URL

– Config Server Credentials

• Configuration under revision control

• App fetches config details while

bootstrapping

• Config server scalable since state in repo

Git

App Imag

e

ConfigServer

App Instanc

e 1

App Instanc

e 2

App Instanc

e …

Bu

ild

Deploy

Pull

Fetc

h

SPRING CLOUD CONFIGServer:

• “Normal” Spring Boot Service

• URL path parameters:

– App name

– List of profile names

– Git label (revision / branch)

• Git-based:

– Uses (file:///…) or clones (git://…, ssh://…)

lokal Git repo

– Git access via JGit library

– On every client access, branch is checked

out and pulled from remote

• Alternative "native" profile:

– Config in simple file folder

– Ideal for local development

Client:

• Configuration in

– bootstrap.yml

– bootstrap-profile.yml usw.

– By discovery (e.g., Consul, Eureka)

• Adds PropertySources to the Environment

==> combined with other property

sources

• Periodic health check re-fetches config

H A S H I C O R PV A U L T

SECRETS

• Don’t put plain passwords (for, say DB access) into config files!

• Don’t put passwords into your Git repo!

• Many developers perceive TLS key handling as complex

• Secrets in environment variables / command lines easy to read from a shell account

• When did you last change your DB passwords??

• All network transport of secrets must be protected by, say, TLS

• …

HASHICORP VAULT

• Tool for secure access to secrets:

– Encryption of data at rest

– Elaborate access control concept

– Audit log of every access

• Support for dynamic secrets:

– E.g., on-the-fly setup of DB users with their respective roles and credentials

– Issuing of freshly created X.509 certificates

• One-time tokens, cubbyhole backend

• Many storage backends (filesystem, cloud storage, databases, Etcd, …)

• Revocation of individual leases as well as complete immediate system lock-down.

• Most parts open source (Mozilla Public License 2.0)

• One shared app image serves both as daemon and as command line interface

• Server exposes REST API

VAULT AUTHENTICATION

How to authenticate a vault client?• AppRole:

– Static Role Id / ephemeral Secret Id– Secret typically created by deployment

pipeline– Optional: Secret expires after use– Alternative: No secret, but CIDR

• AWS:– EC2 or IAM credentials– Trusts AWS signatures

• LDAP:– User credentials stored in LDAP / AD– Optional MFA

• GitHub:– GitHub personal access token

• Radius• Client certificates• Username / Password

Underlying Token Authentication:• Explicit or under the hood by other mechanisms• Tokens bound to policies (access control)• Tokens expire if not renewed• Tokens can be revoked by admin• Most REST requests require token in HTTP header

DEPLOYMENT CONSIDERATIONS

One-time tokens are great, but…

• App operation in container clusters becomes more and more popular

• Containers often replicated (scale out, disruption free deployments, …)

• Cluster may migrate / restart containers at any time

• So far no cluster hooks for automated re-creation of tokens (abuse potential!)

==> Multi-use secrets for container vault authentication

In the Deployment Pipeline:

vault write -f –format=json auth/approle/role/myapprole/secret-id |\

jq -r '.secret_id' |\

docker secret create myapprole_secretid -

docker service create --name=“myapp" \

--secret="myapprole_secretid" myapp:alpine

S P R I N GC L O U D V A U L T

SPRING CLOUD VAULT

Secret Bootstrapping:

• Adds PropertySource to Spring Environment (similar to Cloud Config client)

• Runs in bootstrapping phase

• App name + profiles translate in Vault paths:

{backendName}/{appName}/{appName-profile}

RestTemplates for Vault Access:

• Ease Vault use from custom code

• Examples:

– Storage of secrets at runtime

– Interactions with PKI backend

– Transit backend: Encryption as a service

CONFIG SERVER + VAULT

Git

App Imag

e

ConfigServer

App Instanc

e 1

App Instanc

e 2

App Instanc

e …

Build

Deploy

Pull

Fetc

h

Vault

S P R I N GC L O U D V A U L TE X T E N S I O N S

@ H A U F E

VAULT-BASEDCONFIG SERVER DISCOVERY

Issue:

• Even with secrets in Vault, configuration details give clues to potential attackers

==> Config Server access should require authorization

• Config Server passwords are secrets, belong into Vault

• Out of the box, config client won’t see properties fetched by vault client

(config client configuration too early in bootstrap process)

Solution:

• Leverage Cloud Config Discovery mechanism

• VaultPropertySourceLocator injected as @Resource into VaultBasedDiscoveryClient

PKI KEY- & TRUSTSTORE INTEGRATIONIssue:

• Keystore management (JCEKS, PKCS#12) cumbersome, frequent source of operation

errors

• Keystores in the file system should be password-protected

Solution:

• For (app) internal connections (= no “official” cert required):

– Leverage Vault’s PKI backend, issue certificates on-the-fly.

– Build on sample by Mark Paluch, extended with retrieval of trusted certificates

• For customer / partner facing clients & services:

– Represent key- and trust stores as JSON objects in Vault’s generic secret backend

– Auto-configuration for Web container & HTTP clients

• Fallback to keystores in the file system (for, e.g., local development, tests)

• Fallback to the trusted certificates of the runtime’s default X509TrustManager

• Python CLI / library for up- / download of key- & truststores into Vault