This is a proof of concept CA rotation project to complement the Kafka Summit Talk titled Securing Kafka at Zendesk that I gave at Kafka Summit 2020
To be able to run this project you will need
docker-compose installed in your computer.
You will also need to have Terraform installed. There's a
.terraform-version file at
terraform folder, I would recommend
using Terraform Version Manager, once
tfenv is installed you can run
tfenv install to install
the required version of terraform.
How to run
In one terminal tab, tail logs of the
docker-compose logs -f consul_template
Initialise the terraform project and apply with the following:
cd terraform terraform init terraform apply
Keep an eye on
consul-templatelogs, you will soon see it has generated a service certificate from the current root (Root A).
You can at this point follow the demo from the talk to introduce a new root (Root B), then swap the roots while inspecting the logs of
consul-template to verify it's following along the changes in the
consul key. Or you can also continue following along.
- Introduce new root (
Root B) I have added the necessary code for adding a new root, so you can just do the following
git checkout introduce-new-root-b terraform apply # type yes when prompted
As soon as you press enter, you should notice consul-template regenerating certificates on the logs.
- Now to we can swap the roots using the following commands
git checkout swap-roots terraform apply # type yes when prompted
You will see consul-template regenerating the service certificate from new root, Root B.
- Now we can remove the old root from the list of secondary issuers.
git checkout remove-old-root-from-secondary-issuers terraform apply # type yes when prompted
- We can also now remove root-a from vault
git checkout remove-old-root-from-vault terraform apply # type yes when prompted
Feel free to raise PRs or issues if you have questions/comments/anything to add.