Bulletproof Microservices with Spring and Kubernetes

•Download as PPTX, PDF•

0 likes•438 views

VMware Tanzu

SpringOne 2020 Bella Bai: Software Engineer, VMware; Ollie Hughes: Senior Member of Technical Staff, Spring, VMware

Software

Bullet-proof Microservices
with Spring & Kubernetes
September 2–3, 2020
springone.io
1

About us
2
● Bella Bai
○ Yuxin Bai
○ 白玉欣
● Servant of two rescued
kitties

About us
3
● Oliver Hughes
○ Ollie
○ @olliehughes82

Pod
6
Deploying apps to Kubernetes
Pod
Animal Rescue
Spring Boot App
Container
Image
Registry
Partner Adoption
Center
Node.js App
Container
ReplicaSet
Deployment
ReplicaSet
Deployment
Service
Service
👩
🧑
💻

8
🧑
💻
Basic Authentication
Username
Password

So, back to this diagram...
10
🧑
💼
Username
Password
✓

Wait, HTTP is not encrypted...
14
🙅
♀️
Username
Password
🧑
🧑
♀️

Need to enable TLS, but how?
15
● Pick a Certificate Authority (CA)
● Manage certificates (issue/update/renew)
● Enable TLS on servers Or
Ingress

ACME HTTP01 Challenge
16
🙋
Need a cert for
animalrescue.online
plzzzz.

ACME HTTP01 Challenge
17
🙆
Here is a token,
Serve it up with your server,
I will check later.
Token

ACME HTTP01 Challenge
18
🧑
💻
📄 with token

ACME HTTP01 Challenge
19
💁
Ready for action!

ACME HTTP01 Challenge
2
0
💁
Retrieve and verify the file from
http://animalrescue.online/.well-
known/acme-challenge/<TOKEN>

ACME HTTP01 Challenge
21
🙇
I trust this account.
I will grant a valid cert -
On their next request.

ACME HTTP01 Challenge
2
2
🧑
Retrieve cert

ACME HTTP01 Challenge
2
3
🧑
♀️
Retrieve cert

Now the communication is secured
2
5
💁 Username
Password
🙈

But I want to use my GitHub account!
2
6
🙅
♀️
Username
Password

But OAuth2 is for users, what about machines?
2
9
🧑

Clients can prove their identities too!
3
0
🧑
⚖️ Private
Certificate
Authority
IssueIssue
Mutual TLS

How to mTLS in k8s?
31
Create CA certificate
with a self-signed
issuer
Create CA issuer
with the created
CA certificate
Issue certificates
with the created CA
issuer
Mount certificates
on app deployments
Update apps
to use the mounted
certificate for mTLS
Step by step guide: https://blog.jetstack.io/blog/securing-mysql-with-cert-manager/

Autocert makes mTLS easier
3
2
Create CA certificate
with a self-signed
issuer
Create CA issuer
with the created
CA certificate
Create certificates
with the created CA
issuer
Mount certificates
on app deployments
Update apps
to use the mounted
certificate for mTLS

A few notes about Autocert
3
4
● Pros:
○ Certificates are generated and only available within the pod
○ Easy to set up and run - just one annotation needed
○ Perfect for apps that already know how to handle mTLS
● Cons:
○ Need to add some code to:
■ Load the certs and keys
■ Watch for file changes on cert rotation
○ No fine-grained access control

Automating mTLS with Service Mesh
3
5
Tanzu Service
Mesh Istio
Tanzu Service Mesh: https://docs.vmware.com/en/VMware-Tanzu-Service-Mesh/services/concepts-guide/GUID-9E3F1F90-4310-415B-98C8-C06E59B8A5EE.html
Traefik: https://docs.traefik.io/https/tls/#client-authentication-mtls
Istio: https://istio.io/latest/docs/concepts/security/#mutual-tls-authentication
Linkerd: https://linkerd.io/2/features/automatic-mtls/

https://github.com/LittleBaiBai/animal-rescue
Check out our repo

Bella Bai
LittleBaiBai bellalleb_bai
Oliver Hughes
@olliehughes82
#springone@s1p
Stay Connected.

What's hot

What Is Spring?

VMware Tanzu

What’s New in Spring Data MongoDB

VMware Tanzu

Are you securing your microservice architectures by hiding them behind a firewall? That works, but there are better ways to do it. This presentation recommends 11 patterns to secure microservice architectures. 1. Be Secure by Design 2. Scan Dependencies 3. Use HTTPS Everywhere 4. Use Access and Identity Tokens 5. Encrypt and Protect Secrets 6. Verify Security with Delivery Pipelines 7. Slow Down Attackers 8. Use Docker Rootless Mode 9. Use Time-Based Security 10. Scan Docker and Kubernetes Configuration for Vulnerabilities 11. Know Your Cloud and Cluster Security Blog post: https://developer.okta.com/blog/2020/03/23/microservice-security-patterns

Security Patterns for Microservice Architectures - SpringOne 2020

Matt Raible

Going Serverless Using the Spring Framework Ecosystem

VMware Tanzu

Observability Enhancements in Steeltoe

VMware Tanzu

Make Spring Home (Spring Customization and Extensibility)

VMware Tanzu

State of Steeltoe 2020

VMware Tanzu

The Path Towards Spring Boot Native Applications

VMware Tanzu

Spring Boot Whirlwind Tour

VMware Tanzu

Spring Data JDBC: Beyond the Obvious

VMware Tanzu

Resilient Microservices with Spring Cloud

VMware Tanzu

Not Just Initializing

VMware Tanzu

Spring: Your Next Java Micro-Framework

VMware Tanzu

Fundamental Spring Boot: Keep it Simple, Get it Right, Be Productive and Have...

VMware Tanzu

Welcome to the Metrics

VMware Tanzu

Introduction to WebMvc.fn

VMware Tanzu

Connecting Spring Apps to Distributed SQL Clusters Running in Kubernetes

VMware Tanzu

“Sh*^%# on Fire, Yo!”: A True Story Inspired by Real Events

VMware Tanzu

RESHMI KRISHNA SENIOR CLOUD APPLICATION & PLATFORM ARCHITECT, PIVOTAL VINAY UPADHYA ADVISORY PLATFORM ARCHITECT, PIVOTAL TDD introduced many improvements into the development process with the biggest advantage relating to code design. As we move to a microservices based architecture, TDD becomes hard to implement across teams building different codebases. Consumer driven contracts (CDC) is like TDD but applied at the API level and is becoming more relevant in the world of microservices. It is a pattern for specifying and verifying interactions between different modules of an application. Spring Cloud Contract provides support for Consumer Driven Contracts and service schemas in Spring applications, covering a range of options for writing tests, publishing them as assets, asserting that a contract is kept by producers and consumers, for HTTP and message-based interactions. In this session, you will learn how we can implement TDD in microservices based architecture using Spring Cloud Contracts.

TDD for Microservices

VMware Tanzu

Spring Boot—Production Boost

VMware Tanzu

What's hot (20)

What Is Spring?

What’s New in Spring Data MongoDB

Security Patterns for Microservice Architectures - SpringOne 2020

Going Serverless Using the Spring Framework Ecosystem

Observability Enhancements in Steeltoe

Make Spring Home (Spring Customization and Extensibility)

State of Steeltoe 2020

The Path Towards Spring Boot Native Applications

Spring Boot Whirlwind Tour

Spring Data JDBC: Beyond the Obvious

Resilient Microservices with Spring Cloud

Not Just Initializing

Spring: Your Next Java Micro-Framework

Fundamental Spring Boot: Keep it Simple, Get it Right, Be Productive and Have...

Welcome to the Metrics

Introduction to WebMvc.fn

Connecting Spring Apps to Distributed SQL Clusters Running in Kubernetes

“Sh*^%# on Fire, Yo!”: A True Story Inspired by Real Events

TDD for Microservices

Spring Boot—Production Boost

Similar to Bulletproof Microservices with Spring and Kubernetes

Microservices security - jpmc tech fest 2018

MOnCloud

OAuth for QuickBooks Online REST Services

Intuit Developer

Managing secrets in a distributed cloud world requires a new approach to security. Applications and systems are now frequently created and destroyed. The network between distributed clouds, applications, and systems is low-trust, furthering the complexities of secrets sprawl. So, what is the solution? HashiCorp Vault seeks to solve the problem of secret sprawl by centralizing secrets management in a scalable, repeatable workflow to be able to create, manage, and revoke secrets as needed. Watch this webinar to learn: - How Vault addresses today’s security threats - How security teams can use Vault to store and manage all their secrets across their private and public infrastructure, globally. - How Adobe reduced secret sprawl, increased operational performance of a key security process, and processes 100 trillion transactions with Vault For full webinar recording: https://hashicorp.com/resources/eliminating-secret-sprawl-in-the-cloud

Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018

HashiCorp

If you ever had to deal with identity within your solutions then this is the session for you. Join JP and Christos to find out how to implement authentication and authorization for your mobile apps and back-end services using the Microsoft Identity platform. We will show you how to use our libraries to quickly connect to our platform and authenticate your users in a few, basic steps. Get ready for demos and examples the highlight how the Microsoft Identity Platform allows you to create scalable and secure applications.

"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...

Fwdays

Sustainability Challenge, Postman, Rest sheet and Anypoint provider : MuleSof...

Angel Alberici

Learn how to use AWS services to automate manual tasks, help teams manage complex environments at scale, and keep engineers in control of the high velocity that is enabled by DevOps. In this session, we will provide an overview of the various AWS development and deployment services and when best to use them. We will show how to build a fully automated infrastructure and software delivery pipeline with AWS CodePipeline, AWS CodeBuild, AWS CloudFormation and AWS CodeDeploy. At the end of the session, a GitHub repository of AWS CloudFormation templates will be provided so you can quickly deploy the same pipeline to your AWS account(s).

DevOps Tooling - Pop-up Loft TLV 2017

Amazon Web Services

Integrating Okta with Anypoint Platform for a mobile security use case

Bahman Kalali

Ahmadabad mule soft_meetup_6march2021_azure_CICD

Shekh Muenuddeen

Building APIs in a Cloud Native Era

Nuwan Dias

apidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Dias

apidays

Créer une App Microsoft Teams : REX - Replay Microsoft Experiences 2018

Guillaume Meyer

Indianapolis_meetup_April-1st-2022.pptx

ikram_ahamed

Deep Dive on CI/CD NYC Meet Up Group

NeerajKumar1965

Ultimate Guide to Microservice Architecture on Kubernetes

kloia

Meetup bangalore-may22nd2021

pruthviraj krishnam

Sydney mule soft meetup 30 april 2020

Royston Lobo

Building APIs with Mule and Spring Boot

Guilherme Pereira Silva

Deep Dive on Continuous Integration and Continuous Delivery in Anypoint Platf...

NaimishKakkad2

With container adoption on a meteoric rise, Kubernetes is often considered a “silver bullet” in the world of container deployment and management. While Kubernetes enables DevOps and continuous delivery – traditional compliance controls built for static environments are now a thing of the past. So, how do you deploy a Kubernetes cluster to meet rigorous compliance requirements while maintaining DevOps speed and scale? Katie Paugh, the DevOps Team Lead at Lola, recently went through the process when she migrated their services to Kubernetes while maintaining PCI DSS compliance. In this webinar, Katie will discuss compliance edge cases specific to Kubernetes and other lessons learned from her experience.

Deploying Compliant Kubernetes: Real World Edge Cases

DevOps.com

Until recently, major public cloud providers have offered relatively basic toolsets for identifying suspicious activity occurring inside customer accounts that may indicate a compromise. Some organizations have invested significant resources to build their own tools or have leveraged industry vendor offerings to provide this visibility. The reality is, that barrier has meant that a large number of organizations haven't dedicated those resources to this problem and therefore operate without sufficient detection and response capabilities that monitor their cloud accounts for compromise. Amazon Web Services, Google Cloud Platform, and Microsoft Azure have recently launched a new set of native platform threat and anomalous behavior detection services to help their customers better identify and respond to certain issues and activities occurring inside their cloud accounts. From detecting crypto-currency mining to identifying bot-infected systems to alerting on suspicious cloud credential usage to triggering on cloud-specific methods of data exfiltration, these new services aim to make these kinds of detections much easier and simpler to centrally manage. But what new and unique insights do they offer? What configuration is required to achieve the full benefits of these detections? What types of activities are not yet covered? What attack methods and techniques can avoid detection by these systems and still be successful? What practical guidelines can be followed to make the best use of these services in an organization? Follow along as we attempt to answer these questions using practical demonstrations that highlight the real threats facing cloud account owners and how the new threat detection capabilities perform in reducing the risks of operating workloads in the public cloud.

Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...

Priyanka Aash

Similar to Bulletproof Microservices with Spring and Kubernetes (20)

Microservices security - jpmc tech fest 2018

OAuth for QuickBooks Online REST Services

Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018

"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...

Sustainability Challenge, Postman, Rest sheet and Anypoint provider : MuleSof...

DevOps Tooling - Pop-up Loft TLV 2017

Integrating Okta with Anypoint Platform for a mobile security use case

Ahmadabad mule soft_meetup_6march2021_azure_CICD

Building APIs in a Cloud Native Era

apidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Dias

Créer une App Microsoft Teams : REX - Replay Microsoft Experiences 2018

Indianapolis_meetup_April-1st-2022.pptx

Deep Dive on CI/CD NYC Meet Up Group

Ultimate Guide to Microservice Architecture on Kubernetes

Meetup bangalore-may22nd2021

Sydney mule soft meetup 30 april 2020

Building APIs with Mule and Spring Boot

Deep Dive on Continuous Integration and Continuous Delivery in Anypoint Platf...

Deploying Compliant Kubernetes: Real World Edge Cases

Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...

Recently uploaded

10 Trends Likely to Shape Enterprise Technology in 2024

Mind IT Systems

Conference: Engage2024 in Antwerp Type: Workshop Speakers: Florian Vogler, Henning Kunz, Christoph Adler Title: Navigating the Future with The Hitchhiker's Guide to Notes and Domino 14 Abstract: Embark on an exhilarating journey with industry trailblazers Florian Vogler, Henning Kunz, and Christoph Adler in this not-to-be-missed workshop at the forefront of the tech universe. Get ready for a thrilling kick-off as we navigate the current state of the HCL universe, setting the stage for an exploration of the groundbreaking Notes and Domino 14. Discover the latest enhancements and revolutionary features that will redefine your experience. In this interactive session, unlock a treasure trove of tips and tricks to elevate your utilization of version 14, both with and without the game-changing panagenda MarvelClient. Brace yourself for also diving into Nomad, Nomad Web, and VoltMX, expanding your horizons in the expansive HCL landscape. Be a part of this exclusive opportunity to stay ahead in the ever-evolving world of HCL technologies. Your journey to mastering Notes and Domino 14 begins here. And remember, in the spirit of intergalactic exploration, don't forget to bring your towel!

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...

panagenda

Unlocking the Future of AI Agents with Large Language Models

aagamshah0812

VTU technical seminar 8Th Sem on Scikit-learn

AmarnathKambale

Test automation is a cornerstone of software development and quality assurance in today's rapidly evolving digital landscape. Its significance cannot be overstated. Businesses can enhance efficiency, productivity, and accelerate software delivery to market through automation, streamlining testing processes effectively. This comprehensive guide addresses the best practices for test automation in 2024. It offers a detailed checklist to empower you to optimize your automation efforts and maintain a competitive edge.

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf

kalichargn70th171

In an era where security concerns are paramount, the integration of artificial intelligence (AI) into CCTV cameras has revolutionized surveillance capabilities. One of the most significant advancements is the ability to achieve real-time threat detection, enabling immediate responses to potential security breaches. This blog explores how AI is reshaping surveillance through real-time threat detection and the implications of this technology.

Optimizing AI for immediate response in Smart CCTV

shikhaohhpro

Investing in AI transformation today The modern business advantage: Uncovering deep insights with AI Organizations around the world have come to recognize AI as the transformative technology that enables them to gain real business advantage. AI’s ability to organize vast quantities of data allows those who implement it to uncover deep business insights, augment human expertise, drive operational efficiency, transform their products, and better serve their customers

Microsoft AI Transformation Partner Playbook.pdf

Willy Marroquin (WillyDevNET)

Craft an AI & Machine Learning Pitch with our Editable Professional PowerPoint Template. Ignite your AI & Machine Learning pitch with our cutting-edge PowerPoint template tailored for the industry. Perfect for AI conferences, investor presentations, sales pitches to tech-focused companies, training sessions, and educational programs. - 20+ editable slides: Get a variety of options to choose from for your presentation. - Time-saving solution: Download, replace text/images with a few clicks. - User-friendly customization: Easy to use and personalize. - Modern and attractive design: Captivating visuals, sleek layout. - Tailored to your requirements: Fully alterable for customization. - Well-organized slides: Complete control over content. - Thematic specificity: Reflects healthcare industry with relevant graphics. - Showcase your business idea: Communicate value proposition effectively.

AI & Machine Learning Presentation Template

Presentation.STUDIO

Many specialized tools cater to distinct stages within the software development lifecycle (SDLC). These tools target various aspects of development, delivery, and operations, each with its unique strengths. Uniting these diverse testing needs into a single continuous testing platform presents several challenges. Such a platform must seamlessly integrate with various development tools and environments, accommodate different testing methodologies, and remain flexible to adapt to organizational processes and quality standards.

The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...

kalichargn70th171

A Secure and Reliable Document Management System is Essential.docx

ComplianceQuest1

How To Use Server-Side Rendering with Nuxt.js

Andolasoft Inc

Software Quality Assurance Interview Questions

Arshad QA

At the recent Microsoft Ignite 2023 conference, Microsoft unveiled a groundbreaking strategy that will redefine enterprise work management. The plan involves integrating Microsoft’s key planning tools, Microsoft To Do, Microsoft Planner, and Microsoft Project for the web into a unified experience called “Microsoft Planner.” What does this new strategy from Microsoft mean for current users? Join us and learn how best to take advantage of this announcement while gaining a clear path on how to elevate the current state of Microsoft Planner from a basic task manager to a comprehensive tool for Enterprise Work Management using OnePlan. Learn how OnePlan’s integration with Microsoft Planner allows for strategic alignment with business goals through advanced features like strategic planning, portfolio management, resource management, financial management, and more!

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution

OnePlan Solutions

Azure Native Qumulo scales elastically for common High Performance Compute (HPC) workloads based on application requirements for: Financial Services, Automotive, Genomics / Life Sciences, Media and Entertainment, Energy, Oil and Gas, etc. Performance can be dialed UP (and back down) much higher than the examples shown here. These slides offer a glimpse into ANQ's HPC capabilities, although at a smaller scale. We invite YOU to do your own testing (with a free ANQ trial) and work with us to test your HPC workloads in Azure.

Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf

ryanfarris8

Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live Booking Contact Details :- WhatsApp Chat :- [+91-9999965857 ] The Best Call Girls Delhi At Your Service Russian Call Girls Delhi Doing anything intimate with can be a wonderful way to unwind from life's stresses, while having some fun. These girls specialize in providing sexual pleasure that will satisfy your fetishes; from tease and seduce their clients to keeping it all confidential - these services are also available both install and outcall, making them great additions for parties or business events alike. Their expert sex skills include deep penetration, oral sex, cum eating and cum eating - always respecting your wishes as part of the experience (29-April-2024(PSS)

Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live

Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure

A great deal of attention in medical devices has shifted towards cybersecurity with the ratification of section 524B of the FD&C act. This new law enables the FDA to enforce cybersecurity controls in any medical device that is capable of networked communications or that has software. In this webinar we will recap the process for managing vulnerabilities, identify categories of vulnerabilities and solutions and more.

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...

ICS

HR Software Buyers Guide in 2024 - HRSoftware.com

Fatema Valibhai

Diamond Application Development Crafting Solutions with Precision

SolGuruz

(Vivek)Call Us, 8448380779,Call girls in Delhi NCr – We Offer best in class call girls. escort Service At Affordable Price At low Rate with Space Night 8000 We Are One Of The Oldest Escort and Call girls Agencies in Delhi. You Will Find That Our Female Escorts Are Full Of Fun, Sexy And They Would Love Enjoy Your Company. We Have A Fantastic Selection Of Escort Ladies Available For In-Calls As Well As Out-Calls. Our Escorts Are Not Only Beautiful But All Have Great Personalities Making Them The Perfect Companion For Any Occasion. In-Call:- You Can Come At Our Place in Delhi Our place Which Is Very Clean Hygienic 100% safe Accommodation. Out-Call:- You have To Come Pick The Girl From My Place We Are Also Provide Door Step Services (Delhi Ncr, Noida, Gurgaon, Faridabad, Ghaziabad Note:- Pic Collectors Time Passers Bargainers Stay Away As We Respect The Value For Your Money Time And Expect The Same From You Hygienic:- Full Ac room And Clean Rooms Available In Hotel 24 * 7 Hourly In Delhi NCR More Details, With WhatsApp Number, +91-8448380779

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Delhi Call girls

Data spaces in distributed environments should be allowed to evolve in agile ways providing data space owners with large flexibility about which data they store. Agility and heterogeneity, however, jeopardize data exchanges because representations may build on varying ontologies and data consumers may not rely on the semantic correctness of their queries in the context of semantically heterogeneous, evolving data spaces. Graph data spaces are one example of a powerful model for representing and querying data whose semantics may change over time. To assert and enforce conditions on individual graph data spaces, shape languages (e.g SHACL) have been developed. We investigate the question of how querying and programming can be guarded by reasoning over SHACL constraints in a distributed setting and we sketch a picture of how a future landscape based on semantically heterogeneous data spaces might look like.

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

Steffen Staab

Recently uploaded (20)

10 Trends Likely to Shape Enterprise Technology in 2024

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...

Unlocking the Future of AI Agents with Large Language Models

VTU technical seminar 8Th Sem on Scikit-learn

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf

Optimizing AI for immediate response in Smart CCTV

Microsoft AI Transformation Partner Playbook.pdf

AI & Machine Learning Presentation Template

The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...

A Secure and Reliable Document Management System is Essential.docx

How To Use Server-Side Rendering with Nuxt.js

Software Quality Assurance Interview Questions

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution

Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf

Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...

HR Software Buyers Guide in 2024 - HRSoftware.com

Diamond Application Development Crafting Solutions with Precision

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

Bulletproof Microservices with Spring and Kubernetes

1. Bullet-proof Microservices with Spring & Kubernetes September 2–3, 2020 springone.io 1

2. About us 2 ● Bella Bai ○ Yuxin Bai ○ 白玉欣 ● Servant of two rescued kitties

3. About us 3 ● Oliver Hughes ○ Ollie ○ @olliehughes82

4. 4 What is a Bullet-proof microservice?

5. 5 🧑 💼 As developers, we want… 💻 🍕🎮

6. Pod 6 Deploying apps to Kubernetes Pod Animal Rescue Spring Boot App Container Image Registry Partner Adoption Center Node.js App Container ReplicaSet Deployment ReplicaSet Deployment Service Service 👩 🧑 💻

7. Demo - Deploy Animal Rescue

8. 8 🧑 💻 Basic Authentication Username Password

9. Demo - Add Basic Auth

10. So, back to this diagram... 10 🧑 💼 Username Password ✓

11. Non-Spring apps? 11 🧑 ❔ ✓

12. Add a layer in between! 12 🧑 💼

13. Demo - Use Ingress

14. Wait, HTTP is not encrypted... 14 🙅 ♀️ Username Password 🧑 🧑 ♀️

15. Need to enable TLS, but how? 15 ● Pick a Certificate Authority (CA) ● Manage certificates (issue/update/renew) ● Enable TLS on servers Or Ingress

16. ACME HTTP01 Challenge 16 🙋 Need a cert for animalrescue.online plzzzz.

17. ACME HTTP01 Challenge 17 🙆 Here is a token, Serve it up with your server, I will check later. Token

18. ACME HTTP01 Challenge 18 🧑 💻 📄 with token

19. ACME HTTP01 Challenge 19 💁 Ready for action!

20. ACME HTTP01 Challenge 2 0 💁 Retrieve and verify the file from http://animalrescue.online/.well- known/acme-challenge/<TOKEN>

21. ACME HTTP01 Challenge 21 🙇 I trust this account. I will grant a valid cert - On their next request.

22. ACME HTTP01 Challenge 2 2 🧑 Retrieve cert

23. ACME HTTP01 Challenge 2 3 🧑 ♀️ Retrieve cert

24. Demo - Enable TLS

25. Now the communication is secured 2 5 💁 Username Password 🙈

26. But I want to use my GitHub account! 2 6 🙅 ♀️ Username Password

27. OAuth 2 2 7 🙋 ♀️

28. Demo - OAuth 2 with oauth-proxy

29. But OAuth2 is for users, what about machines? 2 9 🧑

30. Clients can prove their identities too! 3 0 🧑 ⚖️ Private Certificate Authority IssueIssue Mutual TLS

31. How to mTLS in k8s? 31 Create CA certificate with a self-signed issuer Create CA issuer with the created CA certificate Issue certificates with the created CA issuer Mount certificates on app deployments Update apps to use the mounted certificate for mTLS Step by step guide: https://blog.jetstack.io/blog/securing-mysql-with-cert-manager/

32. Autocert makes mTLS easier 3 2 Create CA certificate with a self-signed issuer Create CA issuer with the created CA certificate Create certificates with the created CA issuer Mount certificates on app deployments Update apps to use the mounted certificate for mTLS

33. Demo - mTLS with Autocert

34. A few notes about Autocert 3 4 ● Pros: ○ Certificates are generated and only available within the pod ○ Easy to set up and run - just one annotation needed ○ Perfect for apps that already know how to handle mTLS ● Cons: ○ Need to add some code to: ■ Load the certs and keys ■ Watch for file changes on cert rotation ○ No fine-grained access control

35. Automating mTLS with Service Mesh 3 5 Tanzu Service Mesh Istio Tanzu Service Mesh: https://docs.vmware.com/en/VMware-Tanzu-Service-Mesh/services/concepts-guide/GUID-9E3F1F90-4310-415B-98C8-C06E59B8A5EE.html Traefik: https://docs.traefik.io/https/tls/#client-authentication-mtls Istio: https://istio.io/latest/docs/concepts/security/#mutual-tls-authentication Linkerd: https://linkerd.io/2/features/automatic-mtls/

36. https://github.com/LittleBaiBai/animal-rescue Check out our repo

37. Bella Bai LittleBaiBai bellalleb_bai Oliver Hughes @olliehughes82 #springone@s1p Stay Connected.

Bulletproof Microservices with Spring and Kubernetes

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Bulletproof Microservices with Spring and Kubernetes

Similar to Bulletproof Microservices with Spring and Kubernetes (20)

More from VMware Tanzu

More from VMware Tanzu (20)

Recently uploaded

Recently uploaded (20)

Bulletproof Microservices with Spring and Kubernetes