Secure + Dynamic App Config at GapTech
-
Upload
spring-by-pivotal -
Category
Technology
-
view
1.680 -
download
0
Transcript of Secure + Dynamic App Config at GapTech
![Page 1: Secure + Dynamic App Config at GapTech](https://reader034.fdocuments.in/reader034/viewer/2022042723/58ec6b7e1a28ab07568b459d/html5/thumbnails/1.jpg)
Secure + DynamicApp Config at GapTech
![Page 2: Secure + Dynamic App Config at GapTech](https://reader034.fdocuments.in/reader034/viewer/2022042723/58ec6b7e1a28ab07568b459d/html5/thumbnails/2.jpg)
Nivesh GopathiDirector Platform ServicesGapTech
Spencer GibbSoftware EngineerPivotal
![Page 3: Secure + Dynamic App Config at GapTech](https://reader034.fdocuments.in/reader034/viewer/2022042723/58ec6b7e1a28ab07568b459d/html5/thumbnails/3.jpg)
Introduction• What is GapTech
• In Development / Pilot
• Disclaimer: Not an endorsement
![Page 4: Secure + Dynamic App Config at GapTech](https://reader034.fdocuments.in/reader034/viewer/2022042723/58ec6b7e1a28ab07568b459d/html5/thumbnails/4.jpg)
Overview• Business Problem:
– App Secrets– Dynamic Config– SCCS
• Challenges• Solve:
– App Secrets– Dynamic Config– Gotchas
• Next Up• Q & A
![Page 5: Secure + Dynamic App Config at GapTech](https://reader034.fdocuments.in/reader034/viewer/2022042723/58ec6b7e1a28ab07568b459d/html5/thumbnails/5.jpg)
App Secrets• Users, passwords, keys, tokens• Requirements:
– Distributed Platform capability– Secure (at rest & in motion)– Consistent– Deep Access Control– Audit Trail– Spring boot/cloud (primary)– Non JVM (secondary)
![Page 6: Secure + Dynamic App Config at GapTech](https://reader034.fdocuments.in/reader034/viewer/2022042723/58ec6b7e1a28ab07568b459d/html5/thumbnails/6.jpg)
Dynamic Config• Feature toggles/weights
– Branch by abstraction– Kill switches
• Requirements:– Distributed Platform capability– Timely (in seconds)– Consistent (across all live and future instances)– Deep Access Control– Audit trail– Spring boot/cloud (primary)– Non JVM (secondary)
![Page 7: Secure + Dynamic App Config at GapTech](https://reader034.fdocuments.in/reader034/viewer/2022042723/58ec6b7e1a28ab07568b459d/html5/thumbnails/7.jpg)
Spring Cloud Config Server• Server and client-side support for managing externalized config• Scalable• Maps identically to Spring Environment and PropertySource
abstractions• Leverage @ConfigurationProperties or @RefreshScope• Default back-end: Git• Details at http://projects.spring.io/spring-cloud/spring-cloud.html#
_spring_cloud_config• See Clint Checketts’ Implementing Config Server And Extending It talk
![Page 8: Secure + Dynamic App Config at GapTech](https://reader034.fdocuments.in/reader034/viewer/2022042723/58ec6b7e1a28ab07568b459d/html5/thumbnails/8.jpg)
Challenges• Git is a shared log (mutable), it is not (and does not pretend to be) an audit
trail• Shows timestamps for local commits• Not built for secrets management• Hot, cross-DC Git replication strategy (tier 1 Prod system)• Repo lockdown policies and processes• Spring cloud sidecars to support non JVM apps• See the
Moving From Monolithic Architecture To Spring Cloud And Microservices talk
![Page 9: Secure + Dynamic App Config at GapTech](https://reader034.fdocuments.in/reader034/viewer/2022042723/58ec6b7e1a28ab07568b459d/html5/thumbnails/9.jpg)
Solve• Let’s build a proprietary solution with a short lived team to fill in the gaps
• Let’s collaborate with the broader community on a turnkey solution, for the community
![Page 10: Secure + Dynamic App Config at GapTech](https://reader034.fdocuments.in/reader034/viewer/2022042723/58ec6b7e1a28ab07568b459d/html5/thumbnails/10.jpg)
Vault• Hashicorp Vault
– Securely store, access secrets (with leasing)– Detailed audit log
• Sanitized, simple logs– Token based fine grained access control– LDAP integration, dynamic secrets for some systems– HA Cluster (with Consul back-end)– Can be sealed on system compromise– https://github.com/hashicorp/vault– https://www.vaultproject.io/– See Mark Paluch’s Managing Secrets At Scale talk
![Page 11: Secure + Dynamic App Config at GapTech](https://reader034.fdocuments.in/reader034/viewer/2022042723/58ec6b7e1a28ab07568b459d/html5/thumbnails/11.jpg)
App Secrets - SCCS Integration• Spring Cloud Config Vault integration
– Vault as an SCCS Environment repository– Supports properties style and nested keys for Vault– https://github.com/spring-cloud/spring-cloud-config
• App passes in Vault access token• Can use multiple back-end repos (Git and Vault)• Can use with @ConfigurationProperties• Make sure you mask secrets on env end-point
![Page 12: Secure + Dynamic App Config at GapTech](https://reader034.fdocuments.in/reader034/viewer/2022042723/58ec6b7e1a28ab07568b459d/html5/thumbnails/12.jpg)
Deploy Time
Startup Time
![Page 13: Secure + Dynamic App Config at GapTech](https://reader034.fdocuments.in/reader034/viewer/2022042723/58ec6b7e1a28ab07568b459d/html5/thumbnails/13.jpg)
Consul• Hashicorp Consul
– Hierarchical key/value store (among other things)– Distributed HA, DC aware– Highly scalable (health checks with gossip protocol)– https://github.com/hashicorp/consul– https://www.consul.io/– See Spencer Gibb’s Spring Cloud with Consul and Vault talk
![Page 14: Secure + Dynamic App Config at GapTech](https://reader034.fdocuments.in/reader034/viewer/2022042723/58ec6b7e1a28ab07568b459d/html5/thumbnails/14.jpg)
Dynamic Config - SCCS Integration• In progress• Using @RefreshScope
– /refresh end point will blow away proxy, lazy load config on next call– Constructor may get called multiple times– Need to manage lifecycle
• Spring Cloud Config Consul watcher– Server side watch for Consul paths/keys– Can define watch polling times– Triggers /refresh end-point on event– https://github.com/spring-cloud/spring-cloud-config
![Page 15: Secure + Dynamic App Config at GapTech](https://reader034.fdocuments.in/reader034/viewer/2022042723/58ec6b7e1a28ab07568b459d/html5/thumbnails/15.jpg)
Update time
![Page 16: Secure + Dynamic App Config at GapTech](https://reader034.fdocuments.in/reader034/viewer/2022042723/58ec6b7e1a28ab07568b459d/html5/thumbnails/16.jpg)
Gotchas• Consul DC awareness and quorum (use replicate – one way)
• Vault caching (across clusters)
• Multi-tenancy – Consul over-notification
• Config versioning strategy
• Token rotation may need a deployment
![Page 17: Secure + Dynamic App Config at GapTech](https://reader034.fdocuments.in/reader034/viewer/2022042723/58ec6b7e1a28ab07568b459d/html5/thumbnails/17.jpg)
Next up• Consul watcher extension• Vault HA improvements and UI• Smart spring cloud config clients for non-JVM apps
– Python– Node.js– .NET
• PCF Tile
![Page 18: Secure + Dynamic App Config at GapTech](https://reader034.fdocuments.in/reader034/viewer/2022042723/58ec6b7e1a28ab07568b459d/html5/thumbnails/18.jpg)
Q & A
![Page 19: Secure + Dynamic App Config at GapTech](https://reader034.fdocuments.in/reader034/viewer/2022042723/58ec6b7e1a28ab07568b459d/html5/thumbnails/19.jpg)
Biography of the PresenterNivesh Gopathi is the Director of Platform Services at GapTech. Prior to joining Gap, he led automation and delivery teams at enterprises and upstarts.
Nivesh has a passion for enabling CD and DevOps. He has architected and delivered large scale platform, cloud and container transformations on critical revenue generation digital assets. He holds an MS in CS from the University of Missouri.
He can be reached via https://www.linkedin.com/in/niveshgopathi
Check out GapTech careers!
![Page 20: Secure + Dynamic App Config at GapTech](https://reader034.fdocuments.in/reader034/viewer/2022042723/58ec6b7e1a28ab07568b459d/html5/thumbnails/20.jpg)
References• Spring Cloud Config
– https://github.com/spring-cloud/spring-cloud-config– https://docs.pivotal.io/spring-cloud-services/config-server/
• Vault– https://github.com/hashicorp/vault– https://www.vaultproject.io/
• Consul– https://github.com/hashicorp/consul– https://www.consul.io/