Khosrow Moosavi presented how to integrate HashiCorp Vault into your Apache CloudStack Infrastructure-as-Code at the CloudStack Collab Conference of ApacheCon 2018.
4. What Vault does
● Secures, stores, and tightly controls access to
○ Tokens
○ Passwords
○ Certificates
○ API keys
○ and other secrets in modern computing
● Handles leasing, key revocation, key rolling, and auditing
● Encrypts and decrypts data without storing it
CloudOps.com | 4
5. Why Vault is useful
● Designed specifically for secrets storage
● Prevents developers/operations from reinventing the wheel
● Open source (Mozilla Public License 2.0) and community-driven
● Should be used for everything, not only CloudStack
CloudOps.com | 5
7. Best Practice
In practice, operators should not use the token create command to generate Vault tokens for users or machines.
Instead, those users or machines should authenticate to Vault using any of Vault's configured auth methods such as
GitHub, LDAP, AppRole, etc.
https://www.vaultproject.io/intro/getting-started/authentication.html#best-practice
Vault basic intro
Authentication Method
● Token
○ Fixed mechanism
● AppRole
○ Dynamic mechanism
CloudOps.com | 7
10. IKEv2 VPN
● Implemented to replace L2TP
○ More Secure
○ Relatively faster
○ Manages multiple clients behind one corporate firewall
● Enable IKEv2 VPN in Global Settings
○ remote.access.vpn.type : Type of VPN (ikev2 or l2tp)
CloudOps.com | 10
11. IKEv2 VPN
pki.engine.certificate.brand Brand name to be used in Certificate's common name CloudStack
pki.engine.certificate.common.name Certificate's common name template __BRAND__ VPN __DOMAIN__ CA
pki.engine.vault.cca.ttl Vault PKI root CA TTL 2 days
pki.engine.vault.enabled Enable Vault as the backend PKI engine false
pki.engine.vault.mount.path Vault PKI mount point prefix pki/cloudstack
pki.engine.vault.role.name Vault PKI role name cloudstack-vpn
pki.engine.vault.role.ttl Vault PKI role TTL 43800h
pki.engine.vault.token Token to access Vault
pki.engine.vault.token.role.id App Role id to be used to fetch token to access Vault
pki.engine.vault.token.secret.id Secret id to be used to fetch token to access Vault
pki.engine.vault.ttl Vault PKI TTL 87600h
pki.engine.vault.url Full URL of Vault endpoint
13. Secure/Hidden Configs
● Implemented to replace DBEncryptionUtil
○ Offload CPU usage to Vault
○ Much more secure than PBEWithMD5AndDES
● Enable Secure Configs in Global Settings
○ secure.configs.vault.enabled : true
CloudOps.com | 13
14. Secure/Hidden Configs
secure.configs.vault.enabled Enable Vault as the backend Transit engine false
secure.configs.vault.key.name Vault Transit key name cloudstack-transit
secure.configs.vault.mount.path Vault Transit mount point prefix transit/cloudstack
secure.configs.vault.token Token to access Vault
secure.configs.vault.token.role.id App Role id to be used to fetch token to access Vault
secure.configs.vault.token.secret.id Secret id to be used to fetch token to access Vault
secure.configs.vault.url Full URL of Vault endpoint
17. Future Enhancements
● Generate dynamic database credential instead of fixed root:cloud and cloud:cloud
● Generate SSH key for SystemVMs instead of building and injecting locally
● Use One-Time SSH Passwords to connect to SystemVMs instead/alongside of random password
● ...
CloudOps.com | 17