Vault integrated with mesos/marathon. Good practices
1,236 views
Skip to first unread message
Ignacio Tolstoy
Feb 23, 2016, 5:24:17 AM2/23/16
to Vault
Hi all.
I've been checking Vault as our password manager for many of our apps.
Our current infrastructure is:
Mesos with Marathon and Chronos
Drone for image building
Registry for Docker images
Right now we don't have a security system. Our drone injects the needed keys in the marathon.json tasks definitions.
The problem with this approach is that any user is able to see passwords in the marathon ui. Not a very nice thing.
We have been experimenting a bit with vault and reading the docs and some threads here.
I saw a very neat approach of creating a one-use token for a specific app and using this token to retrieve the required credentials.
I've thought that maybe in drone I can request vault for the token and inject the token in marathon. The app will use this token to retrieve his credentials.
This works an is nice, but has a problem. Marathon restarts the apps if they crash or there is some problem. So this token will not be valid anymore and the app will not work.
Not very nice.
I've thinking about this problem and how to solve it. I could create an executor that will handle the token refresh and inject it. But seems like a lot of work and mainteinance.
There's been others here thinking how to integrate vault with marathon and mesos?
What are your ideas or how you will approach it?
Thanks,
Ignacio
Jeff Mitchell
Mar 1, 2016, 11:04:56 PM3/1/16
to vault...@googlegroups.com
Hi Ignacio,
Sorry I haven't gotten back earlier about this, but I was waiting
while we worked through some planning, and now can give some more
detail: you may want to look at the changes in
https://github.com/hashicorp/vault/pull/1155 which will be in 0.5.2;
it will make this use-case much easier by allowing some approaches
where the executor doesn't have to deal with refreshing the token
after injecting it, and where the executor's token doesn't need to
have the full superset of all policies for apps.
In the next couple of releases of Nomad we'll be working on
Nomad/Vault integration, and I'm guessing some of the same paradigms
could work well for Mesos as well, although they may require a Mesos
framework to be built to be truly first-class.
Of course, I can't not mention the fact that Nomad 0.3
(https://www.hashicorp.com/blog/nomad-0.3.html) has cron-like periodic
jobs, similar to Chronos...
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/f9bed310-225f-4c4c-9af4-e585755397c3%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Sorry I haven't gotten back earlier about this, but I was waiting
while we worked through some planning, and now can give some more
detail: you may want to look at the changes in
https://github.com/hashicorp/vault/pull/1155 which will be in 0.5.2;
it will make this use-case much easier by allowing some approaches
where the executor doesn't have to deal with refreshing the token
after injecting it, and where the executor's token doesn't need to
have the full superset of all policies for apps.
In the next couple of releases of Nomad we'll be working on
Nomad/Vault integration, and I'm guessing some of the same paradigms
could work well for Mesos as well, although they may require a Mesos
framework to be built to be truly first-class.
Of course, I can't not mention the fact that Nomad 0.3
(https://www.hashicorp.com/blog/nomad-0.3.html) has cron-like periodic
jobs, similar to Chronos...
Best,
Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/f9bed310-225f-4c4c-9af4-e585755397c3%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Ignacio Tolstoy
Jun 29, 2016, 11:59:31 AM6/29/16
to Vault
Hi Jeff! Sorry for the very late response. I miss the message notification somehow..
I'll check what you said, since I have this as an open problem still.
Regarding Nomad. We considered it when it was on 0.1 but it had a few things missing yet and we didn't consider the project stable enough for us.
Anyway in a few months we will do a re check on our tech and consider that again.
ckym
Sep 30, 2016, 12:14:11 PM9/30/16
to Vault
Hi Ignacio,
I'd be interested in learning what approach you ended up taking for your scenario.
I'm looking into a very similar scenario with Mesos/Marathon deploying Docker containers, and am trying to find a good way to "inject" the limited use/duration token for the app running within the container to use to retrieve the permanent token.
Jeff Mitchell
Sep 30, 2016, 12:30:18 PM9/30/16
to vault...@googlegroups.com
You may want to look at the talk by Alex Dadgar from HashiConf 2016 that details Nomad/Vault integration, as it uses our recommended workflow.
Best,
Jeff
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/af3e9afb-e127-4662-b3a1-4029e86f7f67%40googlegroups.com.
ckym
Oct 4, 2016, 3:53:59 PM10/4/16
to Vault
Thanks for the pointer!
Matt Richter
Oct 4, 2016, 4:35:20 PM10/4/16
to Vault
We're now using https://github.com/ChannelMeter/vault-gatekeeper-mesos alongside vault inside our mesos/marathon cluster to set granular policies per app/task.
Reply all
Reply to author
Forward
0 new messages