Remove boundaries with Boundary

Remove boundaries with Boundary

Article last updated: Oct 31, 2020

Introduction

Hashicorp Boundary is a product in its infancy that is meant to allow for simple and secure remote access to your private hosts. An evolved version of SSH bastions and VPNs allowing RDP, SSH, Postgres and other commands to be easily used. At the moment, Boundary allows for several key management services (KMS) like OCI KMS, AWS KMS, etc; however, this article will focus using Vault, another product from Hashicorp. We could use authenticated encryption with associated data (AEAD), but this is recommended only for development. I personally want to use this on a production level, so I opted for Vault transit.

So, at the heart of Boundary, there are several key components, obviously the KMS, but also workers, controllers and listeners. In the example below, I place all in one config.hcl. Boundary does allow for high availability (HA), but I will just be placing everything into a simple docker-compose.yml.

So let's begin installing and configuring Vault and Boundary? Although, I will be writing another article that focuses on the configuration of Boundary specifically with Terraform. Therefore, I want to emphasize that this article is on configuring both Vault and Boundary to be able to start up Boundary!

Configuration

Vault

Going directly to the docker-compose.yml, which is incomplete, contains Vault, Consul, Boundary and Postgres. You could use Traefik as a reverse-proxy, but I do not provide that here.

docker-compose.yml
version: '3.8'

x-logging:
  &default-logging
  driver: "json-file"
  options:
    max-size: "10m"
    max-file: "3"

networks:
  bastion-net:
    driver: bridge

services:
... traefik

  vault:
    image: vault:1.5.5
    container_name: vault-techdev
    restart: always
    environment:
      VAULT_LOCAL_CONFIG: '{"backend": {"consul": {"address": "consul:8500", "path": "vault/"}}, "listener": {"tcp":{"address": "0.0.0.0:8200", "tls_disable": 1}}, "ui": true}'
      VAULT_ADDR: http://127.0.0.1:8200
      VAULT_API_ADDR: http://127.0.0.1:8200
    command: server
    cap_add:
      - IPC_LOCK
    ports:
      - 8200:8200
    volumes:
      - /docker/data/vault/data:/vault/data
    depends_on:
      - consul
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.vault.rule=Host(`xxxx`)"
      - "traefik.http.routers.vault.entrypoints=websecure"
      - "traefik.http.routers.vault.service=vault"
      - "traefik.http.services.vault.loadbalancer.server.port=8200"
      - "traefik.http.routers.vault.tls.certresolver=myresolver"
    networks:
      - bastion-net
    logging: *default-logging

  consul:
    image: consul:1.8.5
    container_name: consul-techdev
    restart: always
    environment:
      CONSUL_LOCAL_CONFIG: '{"datacenter": "localhost", "data_dir": "/consul/data", "log_level": "DEBUG", "server": true, "ui": true}'
    command: agent -server -bind 0.0.0.0 -client 0.0.0.0 -bootstrap-expect 1
    ports:
      - 8500:8500
    volumes:
      - /docker/data/consul/data:/consul/data
    networks:
      - bastion-net
    logging: *default-logging

  boundary:
    build:
      context: /docker/docker/boundary/
      dockerfile: Dockerfile
      args:
        - ALPINE_VERSION=3.12
        - BOUNDARY_VERSION=0.1.1
    container_name: boundary-techdev
    restart: always
    environment:
      POSTGRES_HOST: postgres
      PORTGRES_PORT: 5432
      PORTGRES_DATABASE: xxxx
      PORTGRES_USERNAME: xxxx
      PORTGRES_PASSWORD: xxxx
    cap_add:
      - IPC_LOCK
    ports:
      - 9200:9200
      - 9202:9202
    depends_on:
      - postgres
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.boundary.rule=Host(`xxxx`)"
      - "traefik.http.routers.boundary.entrypoints=websecure"
      - "traefik.http.routers.boundary.service=boundary"
      - "traefik.http.services.boundary.loadbalancer.server.port=9200"
      - "traefik.http.routers.boundary.tls.certresolver=myresolver"
    networks:
      - bastion-net
    logging: *default-logging

  postgres:
    image: postgres:12.2
    container_name: postgres-techdev
    restart: always
    environment:
      POSTGRES_USER: xxxx
      POSTGRES_PASSWORD: xxxx
      POSTGRES_DB: xxxx
    stop_grace_period: 1m
    volumes:
      - /docker/data/postgresql/data:/var/lib/postgresql/data:rw
    networks:
      - bastion-net
    logging: *default-logging

In a nut shell, we are using Consul as a backend to Vault. Both Vault and Consul are both running in server mode with the config provided in the environment variables VAULT_LOCAL_CONFIG and CONSUL_LOCAL_CONFIG, respectively.

To prepare Vault, we need to initialize it. To do so, assuming you are using Traefik, go to the Host that you designated in the Traefik configuration, or try to access Vault on localhost:8200. Immediately you will be asked to initialize Vault. I usually use 5/3. Five keys produced with three required for unsealing. Make sure to download the json with the keys as it also contains your master/admin token along with all keys generated.

Assuming you are now able to log into Vault with your master token we can begin to create a transit secret. The easiest way is to create a transit secret engine from the UI. However, you could use the following commands to do the same.

vault login -address "https://xxxx" s.xxxx
vault secrets enable -address "https://xxx" transit

We also need to create three transit keys: boundary-root, boundary-worker-auth and boundary-recovery (not mandatory). Again you can do this easily through the UI or via CLI.

vault write -address "https://xxxx" -f transit/keys/boundary-root
vault write -address "https://xxxx" -f transit/keys/boundary-worker-auth
vault write -address "https://xxxx" -f transit/keys/boundary-recovery

The following policy needs to be created as well:

boundary-kms-transit-policy
# boundary-recovery
path "transit/encrypt/boundary-recovery" {
  capabilities = ["update"]
}

path "transit/decrypt/boundary-recovery" {
  capabilities = ["update"]
}

# boundary-worker-auth
path "transit/encrypt/boundary-worker-auth" {
  capabilities = ["update"]
}

path "transit/decrypt/boundary-worker-auth" {
  capabilities = ["update"]
}

# boundary-root
path "transit/encrypt/boundary-root" {
  capabilities = ["update"]
}

path "transit/decrypt/boundary-root" {
  capabilities = ["update"]
}

And finally create a token that Boundary will eventually use:

vault token create -address "https://xxx" -policy boundary-kms-transit-policy

Boundary

Now let's focus on Boundary. I created a custom Dockerfile although quite recently Hashicorp released a dockerhub image as well.

Dockerfile
ARG ALPINE_VERSION=3.12
FROM alpine:${ALPINE_VERSION}
LABEL authors="Jesse Quinn <me@jessequinn.info>"

ARG BOUNDARY_VERSION=0.1.1
ARG BOUNDARY_USERID

ADD https://releases.hashicorp.com/boundary/${BOUNDARY_VERSION}/boundary_${BOUNDARY_VERSION}_linux_amd64.zip /tmp/
#ADD https://releases.hashicorp.com/boundary/${BOUNDARY_VERSION}/boundary_${BOUNDARY_VERSION}_SHA256SUMS      /tmp/
#ADD https://releases.hashicorp.com/boundary/${BOUNDARY_VERSION}/boundary_${BOUNDARY_VERSION}_SHA256SUMS.sig  /tmp/

WORKDIR /tmp/

COPY run-boundary.sh /bin/run-boundary.sh

ENV BOUNDARY_VERSION=${BOUNDARY_VERSION} \
    BOUNDARY_USERNAME="boundary" \
    BOUNDARY_USERID=${BOUNDARY_USERID:-1051}

#RUN apk --update add --virtual verify gpgme \
# && gpg --keyserver pgp.mit.edu --recv-key 91A6E7F85D05C65630BEF18951852D87348FFC4C \
# && gpg --verify /tmp/boundary_${BOUNDARY_VERSION}_SHA256SUMS.sig \
# && cat boundary_${BOUNDARY_VERSION}_SHA256SUMS | grep linux_amd64 | sha256sum -c \
# && apk del verify \
RUN apk --update --no-cache add curl tini libcap bash python3 openssl net-tools ca-certificates \
 && adduser -D -u $BOUNDARY_USERID $BOUNDARY_USERNAME \
 && unzip boundary_${BOUNDARY_VERSION}_linux_amd64.zip \
 && mv boundary /bin/ \
 && chmod +x /bin/run-boundary.sh /bin/boundary \
 && mkdir /boundary /boundary/ssl /boundary/config \
 && rm -rf /tmp/* \
 && rm -rf /var/cache/apk/* \
 && setcap cap_ipc_lock=+ep $(readlink -f $(which boundary))

RUN chown -R $BOUNDARY_USERNAME /boundary /bin/boundary /bin/run-boundary.sh

WORKDIR /

EXPOSE 9200 9202 9201

USER $BOUNDARY_USERNAME

ENTRYPOINT ["/sbin/tini", "--", "/bin/run-boundary.sh"]

I use tini as an init to run our entrypoint script run-boundary.sh:

run-boundary.sh
#!/usr/bin/env bash

if [[ -z ${POSTGRES_HOST} ]]; then
    export POSTGRES_HOST=postgres
fi
if [[ -z ${PORTGRES_PORT} ]]; then
    export PORTGRES_PORT=5432
fi
if [[ -z ${PORTGRES_USERNAME} ]]; then
    export PORTGRES_USERNAME=xxxx
fi
if [[ -z ${PORTGRES_PASSWORD} ]]; then
    export PORTGRES_PASSWORD=xxxx
fi
if [[ -z ${PORTGRES_DATABASE} ]]; then
    export PORTGRES_DATABASE=xxxx
fi

if [[ ! -f /boundary/config/config.hcl ]]; then
    cat <<EOF > /boundary/config/config.hcl
disable_mlock = true

controller {
  name        = "demo-controller-1"
  description = "A controller for a demo!"

  database {
    url       = "postgresql://${PORTGRES_USERNAME}:${PORTGRES_PASSWORD}@${POSTGRES_HOST}:${PORTGRES_PORT}/${PORTGRES_DATABASE}?sslmode=disable"
  }
}

worker {
  name        = "demo-worker-1"
  description = "A default worker created demonstration"
  controllers = [
    "0.0.0.0",
  ]
  address     = "0.0.0.0"
  public_addr = "xxxx"
}

listener "tcp" {
  address       = "0.0.0.0"
  purpose       = "api"
  tls_disable   = true
}

listener "tcp" {
  address       = "0.0.0.0"
  purpose       = "cluster"
  tls_disable   = true
}

listener "tcp" {
  address       = "0.0.0.0"
  purpose       = "proxy"
  tls_disable   = true
}

# Root KMS configuration block: this is the root key for Boundary
# Use a production KMS such as AWS KMS in production installs
kms "transit" {
  purpose         = "root"
  address         = "https://xxxx"
  token           = "s.xxxx"
  disable_renewal = "false"

  // Key configuration
  key_name        = "boundary-root"
  mount_path      = "transit/"
  namespace       = "ns1/"
}

# Worker authorization KMS
# Use a production KMS such as AWS KMS for production installs
# This key is the same key used in the worker configuration
kms "transit" {
  purpose         = "worker-auth"
  address         = "https://xxxx"
  token           = "s.xxxx"
  disable_renewal = "false"

  // Key configuration
  key_name        = "boundary-worker-auth"
  mount_path      = "transit/"
  namespace       = "ns1/"
}

# Recovery KMS block: configures the recovery key for Boundary
# Use a production KMS such as AWS KMS for production installs
kms "transit" {
  purpose         = "recovery"
  address         = "https://xxxx"
  token           = "s.xxxx"
  disable_renewal = "false"

  // Key configuration
  key_name        = "boundary-recovery"
  mount_path      = "transit/"
  namespace       = "ns1/"
}
EOF
fi

/bin/boundary database init -config /boundary/config/config.hcl
/bin/boundary server -config /boundary/config/config.hcl -log-level debug

So as you can see there are three (3) KMS blocks in the config. You may add your token that you just generated to each KMS block. Now you can see that we also have a Worker, Controller and several Listener blocks. The controller stanza requires the root and worker-auth KMS blocks and a Postgres database. Our docker-compose.yml contains this already. For the Worker it is important to include the public_addr. If not included you may not be able to connect to Boundary. In addition, the IPs that are provided as controllers that are found in the Worker block must be the same as those of the Listener of type cluster. Finally, we have three types of Listeners, Api, Proxy and Cluster. Api and Proxy are important as those are the ports we will be using to connect to. That is to say ports 9200 and 9202. Cluster is an internal thing and uses the port 9201.

So now you can do a docker-compose up --build -d and make sure to record the information that Boundary spits out from the database migration. It contains your master password etc. docker-compose logs -f boundary will show you the logs that contain the information you need to record.

Now you should be able to log into your Boundary setup with admin / some password.

In my next article, I will talk about Terraform and the Boundary provider.

Final Words

So far so good with Boundary. However, I am still waiting on using Vault to store keys etc so I do not need to include them when SSHing into a host. But I have to say that Boundary is very stable. I can jump on and off of a VPN and the session will remain! Anyhow, I have just started with Boundary, and I still have a lot to learn about it.