A way to share secrets in your pipeline - Hashidays 2018
•Download as PPTX, PDF•
3 likes•8,587 views
On hybrid platform (cloud and on premise), Renault and D2SI worked on a simple and secure solution to implement a centralized secret management using Vault. In this talk, Julien will explain how in close collaboration with Mehdi and the team at D2SI have implemented a way to consume secrets in the CI / CD chain with different mechanisms to provide and share secrets in containers and pipelines.
Recommended
Recommended
More Related Content
Similar to A way to share secrets in your pipeline - Hashidays 2018
Similar to A way to share secrets in your pipeline - Hashidays 2018 (20)
More from Devoteam Revolve
More from Devoteam Revolve (20)
Recently uploaded
Recently uploaded (20)
A way to share secrets in your pipeline - Hashidays 2018
- 1. VA U LT H a s h i D a y s A m s t e r d a m JUNE 25-27
- 3. RENAULT PRESENTATION 3 June 25-27 Hashidays Amsterdam Renault and Nissan have been strategic partners since 1999, forming a one-of-a-kind alliance in the automotive world. Arsonneau julien Devops Engineer
- 4. D2SI ACADEMY June 25-27 Hashidays Amsterdam4 EXPERIMENTTHEORY SOCIAL AND ME MEHDI LARUELLE
- 6. CONTEXT 6 # G L O B A L S O L U T I O N S O F S E C R E T S # S E C U R I T Y A P P r o l e R a d i u s L d a p # M U LT I E N V I R O N M E N T P u b l i c C l o u d / P r i v a t e C l o u d June 25-27 Hashidays Amsterdam # F O R P I P E L I N E G i t l a b J e n k i n s # A P P W I T H C O N TA I N E R E C S S w a r m # D E V O P S S E C R E T S U n b o a r d i n g / t e r r a f o r m
- 9. PROJECT LIFE CYCLE 9 4 P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E June 25-27 Hashidays Amsterdam
- 10. PROVISIONING 10 PIPELIN E A C TOR S OPERATOR RADIUS Authentication Policy to create or update secrets ORCHESTRATOR TOKEN Authentication Policy to create only Secret ID for specific project PROJECT Role IDSecret ID TOKEN Policy by project environment (dev, prod) APPROLE Authentication P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E June 25-27 Hashidays Amsterdam
- 11. PROVISIONING 11 POLIC IES & R OLE ID PROJECT OPERATOR 3. Adjust the policies & path for Project need ORCHESTRATOR 5. Terraform plan & apply inside CI/CD P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E June 25-27 Hashidays Amsterdam
- 12. PROVISIONING 12 PR OJEC T POLIC Y FOR D EV /secret P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E /secret/projects /secret/projects/coachdevops /secret/projects/coachdevops/dev /secret/projects/coachdevops/dev/keys/* /secret/projects/coachdevops/ dev/db/adm /secret/projects/coachdevops/ dev/db/rw /secret/projects/coachdevops/ dev/db/r /secret/projects/coachdevops/dev/keys /secret/projects/coachdevops/dev/db/secret/projects/coachdevops/dev/idp June 25-27 Hashidays Amsterdam
- 13. June 25-27 Hashidays Amsterdam13 PROVISIONING P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E Terraform.tfvars Variables.tf St ep 5: Plan and apply Terraf orm f iles in C I/C D
- 14. TOOLS UPDATE 14 P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E June 25-27 Hashidays Amsterdam Specific Policy to create or update Approle Call script Tools
- 15. HUMAN UPDATE 15 P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E June 25-27 Hashidays Amsterdam UI Product owner,DBA, Storage admin, etc Radius/LDAP
- 16. HUMAN UPDATE 16 P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E June 25-27 Hashidays Amsterdam DEMONSTRATION /secret /secret/projects /secret/projects/coachdevops /secret/projects/coachdevops/dev /secret/projects/coachdevops/dev/keys/* /secret/projects/coachdevops/ dev/db/adm /secret/projects/coachdevops/ dev/db/rw /secret/projects/coachdevops/ dev/db/r /secret/projects/coachdevops/dev/keys /secret/projects/coachdevops/dev/db/secret/projects/coachdevops/dev/idp /secret/projects/coachdevops/dev/key By UIBy script
- 17. APP ROLE DEFINITION 17 June 25-27 Hashidays Amsterdam P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E 1. Create policy and role for apps 2. Get Role ID 3. Generate a new Secret ID 4. Deliver Role ID 5. Deliver Secret ID 7. Return a token ADMIN APP
- 18. TRANSITION 18 June 25-27 Hashidays Amsterdam P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E Wrap with RoleId + Role Name Define variables on ci tools
- 19. June 25-27 Hashidays Amsterdam19 getSecretID 2 Set Role Name 3 Authenticate with Orchestrator Token 4 Deliver Wrap with Secret ID 5Get Wrap 6 Set Role ID Set Secret ID 7 Authenticate With Role ID + Secret ID 8 Deliver Secrets CI / CD Pipeline PROJECT TEAM 1 Launch Job / Pipeline P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E
- 20. DELIVERY OF GETSECRETID 20 June 25-27 Hashidays Amsterdam P R O V I S I O N N I N G T O O L S U P D A T E H U M A N U P D A T E P I P E L I N E U S E CRONJOB OPS AUTHENTICATE WITH OPS TOKEN OR APP ROLE GENERATE ORCHESTRATOR TOKEN
- 21. TH A N K YOU ! H a s h i D a y s A m s t e r d a m
Editor's Notes
- 0,10
- 1’40 Julien 1’ 5 Billions euros 10,6 Millions Aliance
- 3,10 Mehdi 1’30
- 6’10 Julien 3’
- 7’ Mehdi 1’
- 8’ Mehdi
- 11’ Mehdi 3’ 2 tokens pour les projets (prod, non prod)
- 14’ Mehdi 3’
- 16’ Mehdi 2‘ Retiré des paths -> donné aux projets -> Visu graphique
- 18’ Mehdi 2’
- 19’ Mehdi 1’
- 20’ Julien 1’
- 21’ Julien 1’
- 22’ Julien 1’
- 23’30 Julien 1’30
- 26’30 Julien 3’
- 28’30 Julien 2’