Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Kong / Kuma Community / 10 Aug 2022
Kong / Kuma Community / 10 Aug 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Kuma Community Call - August 10, 2022

Description

In this call, we discussed the following:
- Upcoming release Kuma 1.8.0
- Kuma + NSM integration

A

uh Hello, everyone welcome to the kumar community called.

A

I think you see the document. Please add your name to the attend list and also feel free to submit any agenda topics you would like to discuss today. um Yeah. We will start with the shortly mentioning of the upcoming release. It's going to be 1.8 next week. We want to release this. um Full list of changes will be available. I guess next week so yeah not much to say about that.

A

Next thing is a q, a kuma and msm integration, uh daniel or which sloth who wants to take a lead. uh Wichita is going to present something. Oh nice. um Do you want to shut screen.

B

No, it's just. uh We are currently still working on the integration.

B

We have achieved a working use case with universal, comma and nsm, but it is just too over complicated and we are trying to simplify it by using uh default comma, instead of universal.

B

So at the moment we want to implement this scenario that is provided by the link. It should be a diagram, so it will be a little bit clear for everyone else what it is and uh we'd like to get bootstrapped with kumar authorization, and could we ask someone who can help us offline with our questions related to authenticification and authorization.

A

Yeah sure I mean you can ask to the community or development we have development channel in the slack or you can ask me directly and I can try to figure something out, but usually it's development, channel. Okay,.

B

Thank you.

A

Yeah about the diagram- sorry I just opened it. Do you want to give some details.

B

uh Yeah, it is the the tutorial that is uh on inside the docs on kuma dot io, uh so we are using. uh We want to use kuma control, plane configuration and two deployments that have msm interfaces, which should allow us to communicate from cluster 2 to cluster 1..

B

So currently, I am trying to use the authentication to access, so the common sidecar on the second cluster should again access the control plane.

B

Yes, I must.

A

Have.

B

Some kind of problems- maybe it is related to tokens, maybe to something else. So maybe I will ask questions once I will figure them more clearly.

A

Okay, so use case you're trying to support is to connect um instance, site car from cluster 2 to the control plane, control plane from cluster one. Is it correct? Yeah, okay and uh you don't imply that there is like flat network. It could be, uh I mean, oh, no, I think are they in the same network. I mean this workload, one and workload. Two.

B

Yes, there is three ports, one of one should be kuma control plane. The second one will be radius with kuma side car and the third one is demo up with kumasata. Also all three of them have uh network nsn clients.

B

So all all three of them should have uh the same uh nsm interface and should be in the same network.

A

I see okay, um does anyone have questions for this slide.

A

Yeah, uh thank you which life it was really interesting to hear. What's going on with ns7 como integration, I hope to see what in the future okay, so um we have greg for kuma and vault plugin craig. Do you want to share screen.

C

Yeah sure thing, let me see so as a little bit of preface we kind of are gonna, so me and nick. um So I have nick jackson as well from hashicorp on the uh on the call and uh nick and I have been working on this, this concept for uh one of the sessions for uh the um the kong summit and uh and so what we we were in some discussions, and we were talking about kuma and and and deploying it out and I've been working with, and I was like you know.

C

I think that uh managing the secrets of the vault plug-in would be a really cool cool topic and also just a thing for groups that already have vault in place and are looking to to to do that. So um I have been kind of talking with jacob as well and and and we've pushed in some different features to make sure that uh that this will will work well, but we kind of are uh we're in the process of working on it and dimming it.

C

So let me share out, let's see if I can do this right, because I am working on two macs at the same time. So I'm removing in from one to another. Let's see it will even let me.

B

Here we go.

C

All right all right, so um so the the crux of what we are doing here is we wanted to allow um allow the ability for puma um data, plane and user tokens to be managed um with hashicorp vault, and so um what we did was we.

C

uh We originally actually went down the road of leveraging a uh the database secret store that, as we kind of got into that it didn't quite mesh exactly with what we were looking for with um the way the secrets uh went for it, so we actually had found another project that was doing something with another api and kind of bootstrapped off of it in order to to derive kind of our own secrets, engine uh mechanism, for that, so what kind of and actually, if any of you guys want to go to the this and take a look and make comments or contribute, or whatever it's under my github gregory hunt, slash vault dash, plugin kuma, um so you guys can can go there and dig in if you want um so what we.

C

uh So all. On top of this, what we do is we we're building this on top of uh that, this specific plug-ins testing and stuff? On top of shipyard, which is um a demoing tool that uh nick and eric bell also actually court built uh in order during their time of uh doing a lot of demos and kind of building out things like this. So it's a way to manage document, docker, spin-up environments and stuff, like that.

C

So um that's kind of we built that on top, but as we so, let's go into some rambling, um so we dug into uh the core of the plug-in. Is um we are leveraging uh this kuma um the secret engine in the back and we're storing um the kuma token, revocation renewals and what we're doing is. We are balancing all of these different pieces that you would use for requesting a token and we're having hashicorp vault handle that for us, so you can use any off method.

C

You want in order to authenticate against vault and then vault will handle all of the interactions to and from the api. So you would create an admin token. Take that admin token set it into the config of vault and then it could then broker all the tokens for you based off of the roles that you've set up involved.

C

It can also manage um the the uh the lease of the token, so you get a default. So when you set up a role, you get a a standard ttl of how long that token it lives.

C

It also will give you a max ttl, and so, when we provision the kuma token, we provision that token with the max ttl life and the user will have to then refresh that token, when their ttl expires or vault will actually add that to the revocation list and no longer allow you to use that token and obviously, once you get to the end of the lifetime, you'll have to request the max ttl you'll need to request token.

C

um So that is a crux of what we're doing here and um here's the different pieces, if you guys have some questions um of what what kind of what we're doing and nick, if you want to add some better verbiage.

D

I can, um I can show it in action if you, if you like,.

C

Yeah, let's do that.

D

um Let me just quickly show you, um okay, bear with me one. Second, let me just quickly reset um reset my demo.

D

All right, so the way that vault works is that you authenticate against vault. You have policy assigned to you and with that policy you can request secrets. So a secret involved in this instance is a kuma data plan or a coma user token.

D

So, in order to control who has the ability to request those secrets or generate those secrets, you have policy so, for example, here's a simple policy, so I'm saying that I'm going to create this policy sorry um create this. This role, which would be title policy and the the roles called kumar roll that is going to allow me to generate tokens, data, plane, tokens and kuma with the name of back end one for the mesh default with these given tags now.

D

So this would obviously be with a was part of the automated process of when you deploy your your data plane. So you don't need to worry about putting the data plane token onto your virtual machine or whatever it is. You basically can then just use cloud metadata like aws, swap that for vault token vault gives you the data plane. Token and importantly, the data plane token has a time to live so in the instance that you you want to run like short-lived tokens.

D

More specifically, I suppose for user tokens is useful, but you can say that after 30 seconds, this token is no longer valid up to a maximum of renewal period of of two minutes, so I'm just using really short numbers here for for the purpose of the demo.

D

So if I let me just uh restart my vault instance and I'll I'll kind of very, very quickly show you what's what's going on. This will just take 30 seconds. Oh so there we go. Let's start yeah nope, that's just restarting.

B

Okay,.

D

There we go right so volt I've got vault running running here. So what I'm going to do is I am going to enable the the kuma um die, I'm going to enable the the kuma secrets engine in vault. Now you could be using.

D

Any vault instance for this. It just uses a plug-in, so I enable that engine then what I can do is I create a configuration now. Let's have a have a quick, um a quick look at the configuration here, but the the configuration basically is that I'm going to write um the configuration I'm specifying the rules that can be used by this configuration, the url of kuma's data plane and an administration token that we can use.

D

So let me just uh why did I do that? Let me just.

D

Set this up.

D

So so I've done that so now, vault is configured with a coomer admin token. So now what I want to do is I want to to generate a role, so I'm actually just going to go and um generate this role here.

D

So let me just do that.

D

So that's that's my role created so now I've got a role. Now I've got the auth method. I can now generate a token so to generate a token you've got to be authenticated in vault.

D

um Then you ask vault to give you a cooma token, so I'm just going to use the vault read command and this can be also api. You can use volt agent, I'm saying kuma cred the name of my role, which is my kuma role and the token name which is backend one and there's my my token. So what bolt has done is it's hit the kuma api.

D

It's used, the admin token that's stored securely in the configuration and it has generated me a kuma jwt for data plane, uh jwt, util, uh decode, jwt and then.

D

The code jwt and now you can see this is the the token that it's been it's been generated. So it's it's been named scoped to the name of the data plane and since backend one it's got the the tags, and importantly it has a um an expiry. Now.

D

The cool thing is that this data plane token is short-lived, so vault when the the, when the kind of the, if you don't keep renewing the token, which is an automated process, vault's going to delete it for you and it'll it'll revoke the token for you and the ttl on this was 30 seconds. So you can see that vault has actually revoked this.

D

So just in the logs here um there's I mean it's logs, so there's nothing exciting to see, but you can see that um the token hasn't expired, but I I've asked vault to revoke it. For me, it's revoked it. So again it has hit the um the kuma api yeah and it's added the jti to the data plane, revocation secret. So now that token has been being deleted.

D

So you can, you can either let tokens expire by you know not having this renewal process or you can have a break glass procedure where I'm like that token has to be deleted, or all of these tokens need to be deleted because there's been a a breach or something like that or it's leaked into github.

C

When he called when he called that original read, it gave you a lease. It gives you a lease id that lease id is tied to that token. So, with that lease yeah there you go, you could manually revoke it with that lease, but also as an admin. You could revoke all the leases for a specific role. So if, for some reason, assert there's you know, there's a bad actor or you think, there's a bad actor.

C

You can completely wipe all the leases and they'll have to re-authenticate, and that would then add all those to the replication lists um at that point in time. So with this all right, so with this one of the things that we are continuing to build out on and we were kind of working before this, his call is the next step.

C

Is that, because of the way that the revocation lists are handled as secrets in kuma, um we probably should manage the cleanup of those so um the way we're storing the secret for each user that requested, underneath that lease we're also storing the expiration date with that that jti, so that we will be able to run a process, a kind of a garbage collection every.

C

So often that will look for expired jtis and then remove those from the revocation list, since they would no longer be able to authenticate with them anyway, once they've expired for a certain period of time,.

D

Yeah and just as a kind of a another example there, what I've um I've just done is I've just generated a user token yeah. So you can see the the user token here, um I'm an admin token. But again I can specify what groups in exactly the same way as I did with the the role yeah, but for nick um and then I can use that to interact with the akuma api. So I'm gonna, I'm just gonna, use my token that I've just minted there to actually just delete a secret in kumar.

D

So you can see that that token um is working and and like from from the user token perspective. The benefit is that as a user, you authenticate using something that you have ldap credentials, github credentials um like whatever it is. It's uh personal to you against vault vault allows you access to secrets.

D

Vault then manages that that secret for you, so if I accidentally commit my uh user token to github, if I don't keep renewing it, vault's going to delete it for me after um after a certain period of time or you just use super short ttls, because you know you can easily meant new tokens and it's um it's just a hopefully a useful, a useful thing for you.

D

Yeah.

C

And also, we added some validation in there, as we were digging through it, that um uh data plane tokens use, tags and user tokens use groups. So when you create a role you can you have to you, you can't specify both you can specify a role, can either have tags and be for a service, or it can have groups and be for a user. um If you try to do both it'll throw out throughout an era there. So.

B

I have a question, so is this volt plugging sorry, I am I'm a little bit late. I had I had another meeting, but uh is this volkswagen also support uh issuing the user tokens? Yes,.

C

Yes, that's what he just did he just issued the user.

B

Okay. Okay, sorry, I missed this part. Okay and.

C

You would tie that policy, so you would create policies that you could add users to or groups of users through your authentication method, and then those policies would allow you to read the specific roles that you've created. So you could create a plethora of roles that are mapped to a specific set of groups and then based on their authentication method. They would be able to read those tokens when they read that it issues it.

C

It would then go and request it through the kuma api and issue it um so yeah, and all that you know it's very configurable with ttls and max lifetime. All of that you can configure right in your uh when you create the role, how long you want those to be and that gets translated over to when it you know, get or request the token from kuma.

D

And the vault's internal role and security policy will stop you from doing things like generating tokens that you don't have access to. So if I try and um generate a user token for greg, it's like you know, you can't, because you only have the capability to generate user tokens for called dick and, um and that goes for for all of the other, the other elements in there as well.

D

So it's yeah, you know it it's an additional layer of of um of security to just kind of lock things down in a super granule super granular way, but but yeah there's. This is a. This is a user token that I've um I've just uh generated.

C

And we've, like a few things on our list, to add on to that which are um the the garbage collection and then the next thing that we want to add in there is the ability for the um the engine to rotate its own admin secret. So you would create a short-lived admin secret to actually create the plugin, and then we could trigger a request in there to have vault rotate its own secret.

C

So it is the only one who knows that root admin secret um so that even there that takes that layer that you know prevents that from being, you know, leaked as well. So you can use that in like a cicd process, and then you could tell it to rotate its own secret and then that initial secret is no longer valid because we added to the revocation list and um and handle it just like that with a new add-on security. Yeah.

D

So when you're bootstrapping a cluster you can, you can basically generate that bootstrap certificate and store it in vault. Vault will rotate it and then you just delete it, and if you want to get a user token to interact with kuma, you ask vault to generate you want, and nobody has the.

C

Keep to the kingdom.

D

Yeah except except vaults, and then yeah switch.

B

Well about this one, uh you still have a signing in the control plane right to validate the shotguns right. Yes, yes, and from the signing key, you can easily generate any token. You want right so.

C

Yeah yeah yeah correct.

B

Correct.

C

Yeah yeah so.

D

So some.

C

Of the things.

D

You have to have access.

C

To the server right to the controller right right: okay, yeah yeah, you have to be localhost to the control plane, yeah.

D

Yeah, I mean we're, not sorry, go ahead. Yeah, we can't solve solve all of those things that has to be. You have to define your own, your own perimeter, but what it means is you don't have to hand around admin tokens to to absolutely everybody you can you can use group scoped tokens and then somebody has to have trust, but you know that's generally, just the the cluster operator as opposed to the cluster user.

B

True, although, although we could go extra mile here, right, uh yeah.

C

We talked about this yeah yeah.

B

I'm very interested yeah.

C

The evolution of this is, and we'll do this- maybe tackle this after the kong summit. The evolutionist is completely abstracting the uh the authentication and token minting out of kuma, and only getting kuma the uh the the public key for verification process and then have something like vault pki or something like that. Completely mint handle everything so yeah.

D

Or alternately uh you could have vault manage the just the signing keys and the the signing key would be would be stored within within vault, but we'd we'd have to write. um You know with with specification if it would be of interest to um to to to find some plugins for okuma, but um it's uh hopefully useful.

B

Yeah yeah, it is, it looks, looks very nice one more question here. I can see the url. There is http 5681.

B

You also support https calls to the h2 server with a ca verification.

D

We not, we will um okay, so not uh not in this demo, but um we will. We will, because what we need to be able to do in the config as well is to be able to store the the ca oh yeah, um when I originally set this up. I was just bootstrapping um kuma with the default setup, I'm actually bootstrapping kumar in my dev set up here with with a certificate. So um I could add that in oh.

C

Yeah, we could inject that in there from the certificate yeah you just added in yeah. That's true! So.

D

Yeah 100 um 100 we will, we will support http and https, which would be our encouraged um method of interaction.

A

Yeah.

D

We could even make that a default. To be honest with you, I don't know.

B

Okay, awesome.

C

Is there.

B

Is there reaper open.

C

Yes, yeah yeah yeah, you can go. Take a look it's at uh here, I'll link it in um yeah feel free to you know. Do issues make comments guys as much as you want. uh One thing we did do actually not on the secret side, but on um um the the token side is we actually incorporated the uh the kumo ctl library, because the the go the vault plugin is also uh just a go: a go execu. You know execution of that.

C

So we actually um imported in that in order to uh manage some of that, and then we were just me and nick were just talking this morning that the the secret saudi he started digging into the resources and exactly wasn't sure exactly how the the kumo ctl um you know, module or package was interacting with the secrets, um but here we go.

C

And you should get. uh We haven't added this to the readme, but you should, uh uh if you want to use the shipyard, the testing and stuff with that it uses shipyard which is shipyard.run, that that's um take a look at that too that'll uh yeah.

D

Just a little a little single binary that just automates a bunch of stuff in docker, it's kind of like docker compose but with dependency yeah, it doesn't doesn't do anything else.

C

I'll post that as well just so that.

D

So when you, when you're looking at the repo, we do have a full set of functional tests. Well, apart from the revocation which we just finished off this morning, um there's not many unit tests yet, but uh we've because we've been kind of like basically poking the bear to try and work out how it it needs to growl.

D

But before we make this kind of released and we cut a release of it, we'll it'll have full test coverage. So don't um don't fear that that's incredibly important for something like a vault plug-in that it's fully tested.

C

That's even funnier, nick because kuma is very japanese.

B

Yeah.

C

It's a it's a very short right.

B

So you have like different meanings in different languages.

A

Yeah, okay, I think we out of time, so maybe we should wrap this up. So thank you. Everyone have a great day and see you next time. Bye. Thank.

B

You.