WO2023038768A1 - Management of secrets during deployment of virtual environment - Google Patents
Management of secrets during deployment of virtual environment Download PDFInfo
- Publication number
- WO2023038768A1 WO2023038768A1 PCT/US2022/040680 US2022040680W WO2023038768A1 WO 2023038768 A1 WO2023038768 A1 WO 2023038768A1 US 2022040680 W US2022040680 W US 2022040680W WO 2023038768 A1 WO2023038768 A1 WO 2023038768A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- secrets
- deployment
- virtual machines
- sdf
- computing environment
- Prior art date
Links
- 238000000034 method Methods 0.000 claims abstract description 45
- 230000006870 function Effects 0.000 claims description 24
- 238000004891 communication Methods 0.000 claims description 19
- 230000000694 effects Effects 0.000 claims description 5
- 102100025957 Interleukin-1 receptor-associated kinase 1-binding protein 1 Human genes 0.000 description 28
- 108050002038 Interleukin-1 receptor-associated kinase 1-binding protein 1 Proteins 0.000 description 28
- 238000005516 engineering process Methods 0.000 description 10
- 238000007726 management method Methods 0.000 description 9
- 238000013500 data storage Methods 0.000 description 7
- 230000003287 optical effect Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000006855 networking Effects 0.000 description 5
- 230000009466 transformation Effects 0.000 description 5
- 230000009471 action Effects 0.000 description 4
- 230000001413 cellular effect Effects 0.000 description 4
- 230000002093 peripheral effect Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000000844 transformation Methods 0.000 description 4
- 230000001133 acceleration Effects 0.000 description 3
- 230000036541 health Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 239000004065 semiconductor Substances 0.000 description 3
- 238000001514 detection method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 239000004744 fabric Substances 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000010200 validation analysis Methods 0.000 description 2
- PAYRUJLWNCNPSJ-UHFFFAOYSA-N Aniline Chemical compound NC1=CC=CC=C1 PAYRUJLWNCNPSJ-UHFFFAOYSA-N 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 239000003990 capacitor Substances 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000013501 data transformation Methods 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 229920001690 polydopamine Polymers 0.000 description 1
- 238000013515 script Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 229920000638 styrene acrylonitrile Polymers 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000001131 transforming effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45562—Creating, deleting, cloning virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Definitions
- Service providers can provide computing services to businesses and individuals as a remote computing service or provide “software as a service” (e g., cloud computing).
- users may deploy products and services from service providers on their own premises.
- resources such as virtualized resources
- various issues may arise, resulting in deployment delays which in turn can prevent the customer from providing services to their downstream users. This can lead to lost revenue and customer dissatisfaction.
- Production loss and inefficiencies with respect to computing resources can be exacerbated when configuration issues arise and the service provider is unable to quickly isolate and correct the cause of a misconfiguration issue.
- the disclosed embodiments describe technologies for efficiently coordinating secrets across various virtual machines (VMs) using a service that is configured to perform a deployment or upgrade sequence required to perform the deployment or upgrade.
- Various embodiments disclosed herein describe techniques for implementing a VM deployment/upgrade service that is configured to validate secrets across a set of VMs or containers that need to work together during an upgrade or deployment.
- the service may autogenerate secrets so that the user does not need to supply them.
- the described techniques can allow for a service provider or customer to more efficiently deploy computing resources while maintaining efficient use of computing capacity such as processor cycles, memory, network bandwidth, and power.
- the described techniques enable service providers to manage secrets by providing cross-product infrastructure that supports the secure storage, retrieval, and rotation of secrets.
- FIG. l is a diagram illustrating an example architecture in accordance with the present disclosure
- FIG. 2 is a diagram illustrating an example architecture in accordance with the present disclosure
- FIG. 3 is a diagram illustrating an example architecture in accordance with the present disclosure
- FIG. 4 is a diagram illustrating an example architecture in accordance with the present disclosure.
- FIG. 5 is a diagram illustrating an example architecture in accordance with the present disclosure.
- FIG. 6A is a flowchart depicting an example procedure for managing secrets in accordance with the present disclosure
- FIG. 6B is a flowchart depicting an example procedure for managing secrets in accordance with the present disclosure.
- FIG. 7 is an example computing system in accordance with the present disclosure.
- the disclosed embodiments describe technologies for efficiently coordinating secrets across various virtual machines (VMs) or containers using a service that is configured to perform a deployment or upgrade sequence that is required to perform the deployment or upgrade.
- VMs virtual machines
- a microservices architecture typically relies on the platform / infrastructure, for example, to coordinate and deploy or manage upgrades of software across a large pool of virtual machines/containers providing that service.
- many services are built around Kubernetes for providing such processes.
- the microservices are packaged as VMs that may in turn run on potentially different clouds (e.g., on VMware, vSphere, or OpenStack), there is no easy way to efficiently perform the deployment or upgrade process.
- upgrading a virtualized network function may involve upgrading various VNFCs, each of which may comprise a pool of VNFC instances (VNFCIs) or VMs.
- One key issue that can prevent efficient automation is that the steps that must be performed when upgrading a specific VM may vary from VM to VM. As an upgrade typically entails a loss of function because the VM is removed and replaced by an updated version, the steps required to do so in a safe manner may differ.
- the VM may require that other nodes that the VM is communicating with are informed that the VM is going down so that the nodes can reroute traffic or reconnect, or otherwise risk an outage.
- the VM may simply need to complete any current processing to avoid losing data, but otherwise does not need to provide notifications. In other situations, it may be preferable for the VM to be restarted as quickly as possible without any further actions.
- VIM virtualized infrastructure manager
- a VM deployment or upgrade service may be implemented that is configured to perform the deployment or upgrade sequence and handle the steps required for the deployment or upgrade on the VMs and the VIM.
- the VM deployment or upgrade service may be configured to validate secrets across a set of VMs or containers that need to work together during an upgrade or deployment.
- the VM deployment or upgrade service may autogenerate secrets so that the user does not need to supply them.
- the present disclosure may be implemented in a mobile edge computing (MEC) environment implemented in conjunction with a 4G, 5G, or other cellular network.
- MEC is a type of edge computing that uses cellular networks and 5G and enables a data center to extend cloud services to local deployments using a distributed architecture that provide federated options for local and remote data and control management.
- MEC architectures may be implemented at cellular base stations or other edge nodes and enable operators to host content closer to the edge of the network, delivering high-bandwidth, low-latency applications to end users.
- the cloud provider’s footprint may be co-located at a carrier site (e.g., carrier data center), allowing for the edge infrastructure and applications to run closer to the end user via the 5G network.
- a VM deployment or upgrade service may be implemented that is configured to perform the upgrade operations described above.
- the service may be referred to herein as the SIMPL VM.
- the SIMPL VM may be configured to perform operations on each VIM in a microservice-agnostic, VIM-specific way.
- a release package may be generated that contains the software image to be upgraded to, as well as one or more configuration files that can be read by the SIMPL VM.
- the SIMPL VM need not have specific knowledge about a particular microservice. Rather, the SIMPL VM needs only to understand the configuration files in the release package which can declare what health checks to perform, what quiesce steps to take (in an embodiment, these may be Ansible scripts), and what persistent volumes this service has. In an embodiment, YAML configuration files may be used.
- the SIMPL VM can then perform deployment or upgrades, by interspersing the microservice-agnostic, VIM-specific steps that it has received, and the microservice-specific, VIM-agnostic steps, as defined in the release package. For simplicity the steps are illustrated in a sequential fashion. However, at least some of the steps may be performed in parallel (e g., upgrading a n+k cluster, k nodes at a time).
- the SIMPL VM component 110 which may be, for example, a virtual machine, may be deployed in a target environment that includes a VIM 120 and one or more VMs 130 that may further be attached to one or more storage devices 140.
- the SIMPL VM component 110 may receive a microservice software package that may be initiated by an operator 100.
- the operator 100 may send a command to perform an upgrade based on the software bundle.
- the software bundle may include the new version of the software as well as configurations for performing the upgrade as discussed above.
- the configuration format may be human- and machine-readable format which may be automatically or manually generated based on existing documentation and/or user inputs prior to use of the SIMPL VM component 110.
- the SIMPL VM component 110 may be invoked (for example by running a command in a terminal session) and it may read the configuration and receive the uplevel software.
- the SIMPL VM component 110 may upload the uplevel software to the VIM 120. For each VM to be upgraded, the SIMPL VM component 110 may perform a health check, and perform a quiesce or decommission step. As appropriate for the target environment, the SIMPL VM component 110 may send an instruction to delete a VM and recreate the uplevel command. The VIM 120 may detach attached disks 140 as appropriate, delete the VM, re-create the VM using the uplevel software image, and reattach the disk 140 to the upleveled VM. The VIM 120 may further report whether the upgrade was successful. The SIMPL VM component 110 may perform a healthcheck on the upleveled VM to confirm that the upleveled VM is operating.
- the SIMPL VM component 110 may generate a report containing results of the upgrade operations.
- the report 140 may be generated in a format (for example, CSV) that may be read directly or imported into downstream reporting or auditing tools.
- secrets may be defined as data which allow authentication to a remote system, a component (e.g., a database), or are used in the encryption of any other data.
- secrets may be defined broadly as including, for example:
- some products may have secrets hardcoded in code, and some products have secrets written into configuration files that may or may not be checked into version control. Some products may store secrets in plain text on disk.
- the configuration for a deployment or upgrade may be provided in a solution definition file (SDF).
- SDF may be a single, declarative YAML file that encapsulates the information necessary to set up a specific deployment or upgrade.
- the SDF may encode information such as customer selections that alter the shape of a VNFD (for example: whether to deploy a product in its paired or standalone variant, whether to deploy the virtualized network function component (VNFC) with a data disk, whether to use security groups).
- the SDF may also encode information such as customer environment variables (for example: node names, IPs etc., how many instances to deploy).
- That SDF may be validated against a series of YANG schemas (one overall deployment schema and one product-options schema per product - these latter schemas may be defined in downloadable CSARs - Cloud Service Archives).
- YANG schemas may contain sufficient information to not only specify the format of the identifier, but also the format of the secret.
- a user interface may be provided that enables a user to:
- an autogeneration function may be provide that creates a secret for each identifier in the SDF.
- the generated secrets may adhere to the rules provided in the YANG schemas.
- the secrets may then be validated to check that they conform to the rules provided in the YANG schema.
- the secret/identifier pairs may be stored at a key management system (KMS), such as Azure Key Vault, Hashicorp Vault, or CyberArk.
- KMS key management system
- the secret/identifier pairs may be stored to an encrypted file on the VMs once they have been deployed if a KMS is unavailable.
- a secret store may be provided for storing of secret/identifier pairs.
- the SIMPL VM When the SIMPL VM deploys each of the VMs in the deployment or upgrade, instead of passing the secrets in the bootdata, the SIMPL VM instead may pass the identifiers and details of the KMS. The VM may then download the required secrets from the KMS.
- the validation may apply on a deployment or an upgrade of the VMs (or other changes to the deployment). At the point a VM is upgraded, a new CSAR may be downloaded. If the requirements on any of the secrets has changed, this will be detected during validation that will automatically run before the upgrade is allowed to proceed.
- the SIMPL VM may notify the KMS of the new node and the SSH private keys it needs.
- the KMS may store the SSH private key.
- the SIMPL VM needs to access the VM (e.g., to perform a health check action) it may retrieve the appropriate SSH private key from the KMS.
- the SIMPL VM upgrades a VM
- that VM may be deleted and redeployed with a new SSH host key.
- the SIMPL VM may update the KMS by deleting and recreating the account.
- the disclosed embodiments provide an efficient way to perform deployments or upgrades of different environments (e.g., there is no need for an agent on the VM, nor any assumptions about the VM itself), therefore enabling orchestration of VMs from multiple vendors.
- the development team need not write code to effect the deployment or upgrade, and only need to prepare the configuration files.
- new interactions with the VIM need only be defined once, and the upgrade procedure can be automatically generated.
- upgrades may be performed in a microservice-agnostic way, which may enable coordinating upgrades across connected microservices.
- the autogeneration of secrets may reduce the amount of configuration that a user needs to manage and enter, thus reducing the possibilities of error.
- the VM deployment or upgrade service may verify that all secrets that are implemented for a given deployment are valid before starting the deployment, thus allowing for detection of missing or incorrectly entered information, and detection of misconfigurations caused by changing requirements due to an upgrade. This can allow for reduced effort and cost in debugging secrets issues, such as mismatched keys/certificates between multiple functions, thus allowing for more efficient deployments and upgrades and an improved customer experience.
- FIG. 2 illustrates an example computing environment in which the embodiments described herein may be implemented.
- FIG. 2 illustrates a service provider 100 that is configured to provide computing resources to users at customer environment 140.
- the customer environment 140 may have user computers that may access services provided by service provider 100 via a network 130.
- the computing resources provided by the service provider 100 may include various types of resources, such as computing resources, data storage resources, data communication resources, and the like. Each type of computing resource may be general-purpose or may be available in a number of specific configurations.
- computing resources may be available as virtual machines.
- the virtual machines may be configured to execute applications, including Web servers, application servers, media servers, database servers, and the like.
- Data storage resources may include file storage devices, block storage devices, and the like.
- Each type or configuration of computing resource may be available in different configurations, such as the number of processors, and size of memory and/or storage capacity.
- the resources may in some embodiments be offered to clients in units referred to as instances, such as virtual machine instances or storage instances.
- a virtual computing instance may be referred to as a virtual machine and may, for example, comprise one or more servers with a specified computational capacity (which may be specified by indicating the type and number of CPUs, the main memory size and so on) and a specified software stack (e.g., a particular version of an operating system, which may in turn run on top of a hypervisor).
- Networking resources may include virtual networking, software load balancer, and the like.
- the virtual machines may be configured to execute applications, including Web servers, application servers, media servers, database servers, and the like.
- Data storage resources may include file storage devices, block storage devices, and the like.
- Service provider 100 may have various computing resources including servers, routers, and other devices that may provide remotely accessible computing and network resources using, for example, virtual machines. Other resources that may be provided include data storage resources.
- Service provider 100 may also execute functions that manage and control allocation of network resources, such as a network manager 110.
- Network 130 may, for example, be a publicly accessible network of linked networks and may be operated by various entities, such as the Internet. In other embodiments, network 130 may be a private network, such as a dedicated network that is wholly or partially inaccessible to the public. Network 130 may provide access to computers and other devices at the customer environment 140.
- the disclosed embodiments may be implemented in a mobile edge computing (MEC) environment implemented in conjunction with a 4G, 5G, or other cellular network.
- the MEC environment may include at least some of the components and functionality described in FIG. 1 above.
- components of a 5G network may include network functions such as a Session Management Function (SMF), Policy Control Function (PCF), and N7 interface.
- a radio access network (RAN) may comprise 5G-capable UEs, a base station gNodeB that communicates with an Access and Mobility Management Function (AMF) in a 5G Core (5GC) network.
- the 5G network may further comprise a User Plane Function (UPF) and Policy Charging Function (PCF).
- UPF User Plane Function
- PCF Policy Charging Function
- FIG. 3 illustrates an example computing environment in which the embodiments described herein may be implemented.
- FIG. 3 illustrates a data center 300 that is configured to provide computing resources to users 300a, 300b, or 300c (which may be referred herein singularly as “a user 300” or in the plural as “the users 300") via user computers 303a, 303b, and 303c (which may be referred herein singularly as "a computer 303" or in the plural as “the computers 303") via a communications network 330.
- the computing resources provided by the data center 300 may include various types of resources, such as computing resources, data storage resources, data communication resources, and the like. Each type of computing resource may be general-purpose or may be available in a number of specific configurations.
- computing resources may be available as virtual machines.
- the virtual machines may be configured to execute applications, including Web servers, application servers, media servers, database servers, and the like.
- Data storage resources may include file storage devices, block storage devices, and the like.
- Each type or configuration of computing resource may be available in different configurations, such as the number of processors, and size of memory and/or storage capacity.
- the resources may in some embodiments be offered to clients in units referred to as instances, such as virtual machine instances or storage instances.
- a virtual computing instance may be referred to as a virtual machine and may, for example, comprise one or more servers with a specified computational capacity (which may be specified by indicating the type and number of CPUs, the main memory size and so on) and a specified software stack (e.g., a particular version of an operating system, which may in turn run on top of a hypervisor).
- a specified computational capacity which may be specified by indicating the type and number of CPUs, the main memory size and so on
- a specified software stack e.g., a particular version of an operating system, which may in turn run on top of a hypervisor.
- Data center 300 may correspond to data center 100 and 110 of FIG. 2.
- Data center 300 may include servers 336a, 336b, and 336c (which may be referred to herein singularly as “a server 336” or in the plural as “the servers 336") that may be standalone or installed in server racks, and provide computing resources available as virtual machines 338a and 338b (which may be referred to herein singularly as “a virtual machine 338” or in the plural as “the virtual machines 338”).
- the virtual machines 338 may be configured to execute applications such as Web servers, application servers, media servers, database servers, and the like. Other resources that may be provided include data storage resources (not shown on FIG. 3) and may include file storage devices, block storage devices, and the like.
- Servers 336 may also execute functions that manage and control allocation of resources in the data center, such as a controller 335. Controller 335 may be a fabric controller or another type of program configured to manage the allocation of virtual machines on servers 336.
- a VM deployment or upgrade service (VDUS) 310 as described herein may be implemented in server 336b.
- VDUS VM deployment or upgrade service
- communications network 330 may, for example, be a publicly accessible network of linked networks and may be operated by various entities, such as the Internet. In other embodiments, communications network 330 may be a private network, such as a corporate network that is wholly or partially inaccessible to the public.
- Computers 303 may be computers utilized by users 300.
- Computer 303a, 303b or 303c may be a server, a desktop or laptop personal computer, a tablet computer, a smartphone, a set-top box, or any other computing device capable of accessing data center 300.
- User computer 303a or 303b may connect directly to the Internet (e.g., via a cable modem).
- User computer 303c may be internal to the data center 300 and may connect directly to the resources in the data center 300 via internal networks. Although only three user computers 303a, 303b, and 303c are depicted, it should be appreciated that there may be multiple user computers.
- Computers 303 may also be utilized to configure aspects of the computing resources provided by data center 300.
- data center 300 may provide a Web interface through which aspects of its operation may be configured through the use of a Web browser application program executing on user computer 303.
- a stand-alone application program executing on user computer 303 may be used to access an application programming interface (API) exposed by data center 300 for performing the configuration operations.
- API application programming interface
- Servers 336 may be configured to provide the computing resources described above.
- One or more of the servers 336 may be configured to execute a manager 330a or 330b (which may be referred herein singularly as “a manager 330" or in the plural as “the managers 330") configured to execute the virtual machines.
- the managers 330 may be a virtual machine monitor (VMM), fabric controller, or another type of program configured to enable the execution of virtual machines 338 on servers 336, for example.
- VMM virtual machine monitor
- a network device 333 may be utilized to interconnect the servers 336a and 336b.
- Network device 333 may comprise one or more switches, routers, or other network devices.
- Network device 333 may also be connected to gateway 340, which is connected to communications network 330.
- Network device 333 may facilitate communications within networks in data center 300, for example, by forwarding packets or other data communications as appropriate based on characteristics of such communications (e.g., header information including source and/or destination addresses, protocol identifiers, etc.) and/or the characteristics of the private network (e.g., routes based on network topology, etc.).
- characteristics of such communications e.g., header information including source and/or destination addresses, protocol identifiers, etc.
- the characteristics of the private network e.g., routes based on network topology, etc.
- FIG. 3 has been greatly simplified and that many more networks and networking devices may be utilized to interconnect the various computing systems disclosed herein. These network topologies and devices should be apparent to those skilled in the art.
- data center 300 described in FIG. 3 is merely illustrative and that other implementations might be utilized. Additionally, it should be appreciated that the functionality disclosed herein might be implemented in software, hardware or a combination of software and hardware. Other implementations should be apparent to those skilled in the art. It should also be appreciated that a server, gateway, or other computing device may comprise any combination of hardware or software that can interact and perform the described types of functionality, including without limitation desktop or other computers, database servers, network storage devices and other network devices, PDAs, tablets, smartphone, Internet appliances, television-based systems (e g., using set top boxes and/or personal/digital video recorders), and various other consumer products that include appropriate communication capabilities. In addition, the functionality provided by the illustrated modules may in some embodiments be combined in fewer modules or distributed in additional modules. Similarly, in some embodiments the functionality of some of the illustrated modules may not be provided and/or other additional functionality may be available.
- FIG. 4 illustrates an example computing environment illustrating testing at deployment site 420, in accordance with the present disclosure.
- one or more servers 436 may be installed at the edge site 420.
- servers 436 instantiate and run virtual machines 438.
- a SIMPL VM component (SVC) 410 as described herein may be implemented in server 436.
- users 300 may specify configuration information for a virtual network to be provided for the user, with the configuration information optionally including a variety of types of information such as network addresses to be assigned to computing endpoints of the provided computer network, network topology information for the provided computer network, network access constraints for the provided computer network.
- the network addresses may include, for example, one or more ranges of network addresses, which may correspond to a subset of virtual or private network addresses used for the user’s private computer network.
- the network topology information may indicate, for example, subsets of the computing endpoints to be grouped together, such as by specifying networking devices to be part of the provided computer network, or by otherwise indicating subnets of the provided computer network or other groupings of the provided computer network.
- the network access constraint information may indicate, for example, for each of the provided computer network's computing endpoints, which other computing endpoints may intercommunicate with the computing node endpoint, or the types of communications allowed to/from the computing endpoints.
- the secrets store 550 may be a trust-based container with an HTTP interface and is configured to be an abstraction layer. Constative information such as passwords may be removed from the SDF, and stored at various backends such as CyberArk, Azure Key Vault, or Hashicorp Vault.
- the secret store 550 may be configured to communicate with the backends and store credentials to connect to the backends.
- KMS provisioning portal 510 may be provided at the application layer to enable users to write to storage through the portal.
- the orchestration/provisional controller 520 may write to the secret store 550.
- the application 530 that consumes the secrets may read from the secret store 550 in the same way that it reads config files.
- the application 530 may access config store 570 for non-secrets and references to secrets.
- the secret store 550 may read and write to back storage such as cloud KMS 560.
- Various secrets such as passwords, keys (e.g., SSH private keys and TLS private keys) may be removed from the SDF and replaced with identifiers.
- SSH private keys may be replaced with account names for the SSH keys.
- the SIMPL VM may communicate with the secrets store to confirm that it has an SSH private key with a corresponding identifier.
- the secrets store may use the config provided to it to connect to the appropriate backend to determine if the SSH private key is stored therein.
- the SSH private key may be returned if found.
- the secrets store may generate a SSH private key and public key and store the new SSH private key to the backend.
- the new private key may be returned to the SIMPL VM.
- the SIMPL VM may convert it to the public version of that key.
- the Heat template may then contain the SSH public key, and once deployed, the node will have the relevant SSH public key.
- the computing environment comprises a computing service provider and a remote computing network.
- operation 601 illustrates configuring the software package. Operation 601 may be followed by operation 603. Operation 603 illustrates deploying the SIMPL VM component. Operation 603 may be followed by operation 605. Operation 605 illustrates accessing a configuration file.
- Operation 605 may be followed by operation 607.
- Operation 607 illustrates accessing or generating secrets as needed.
- Operation 607 may be followed by operation 609.
- Operation 609 illustrates validating the accessed or generated secrets.
- Operation 609 may be followed by operation 611.
- Operation 611 illustrates performing deployment or upgrade operations in accordance with the configuration file.
- Operation 611 may be followed by operation 613.
- Operation 613 illustrates generating a report based on the deployment or upgrade results.
- FIG. 6B illustrated is an example operational procedure for deploying a virtualized computing environment configured in a user-specific configuration.
- the deployment may be managed by a deployment function.
- the virtualized computing environment may comprise a plurality of virtual machines, an operational procedure can be provided by one or more components illustrated in FIGs. 1 through 5.
- the operational procedure may be implemented in a system comprising one or more computing devices. It should be understood by those of ordinary skill in the art that the operations of the methods disclosed herein are not necessarily presented in any particular order and that performance of some or all of the operations in an alternative order(s) is possible and is contemplated. The operations have been presented in the demonstrated order for ease of description and illustration. Operations may be added, omitted, performed together, and/or performed simultaneously, without departing from the scope of the appended claims.
- the logical operations described herein are implemented (1) as a sequence of computer implemented acts or program modules running on a computing system such as those described herein) and/or (2) as interconnected machine logic circuits or circuit modules within the computing system.
- the implementation is a matter of choice dependent on the performance and other requirements of the computing system. Accordingly, the logical operations may be implemented in software, in firmware, in special purpose digital logic, and any combination thereof.
- routine 620 is described as running on a system, it can be appreciated that the routine 620 and other operations described herein can be executed on an individual computing device or several devices.
- operation 621 illustrates generating a solution definition file (SDF) that defines the user-specific configuration for the deployment.
- SDF solution definition file
- Operation 621 may be followed by operation 623.
- Operation 623 illustrates adding, in the SDF, an identifier for each secret to be used by the deployment.
- Operation 623 may be followed by operation 625.
- Operation 625 illustrates generating a schema defining a format for each identifier in the SDF and a format of each of the secrets corresponding to each identifier.
- Operation 625 may be followed by operation 627.
- Operation 627 illustrates storing the secrets to be used by the deployment and corresponding identifiers in a secure storage.
- Operation 627 may be followed by operation 629.
- Operation 629 illustrates deploying the virtual machines in a target computing environment in accordance with the SDF.
- Operation 629 may be followed by operation 631.
- Operation 631 illustrates sending data indicative of the identifiers in the SDF to the deployed virtual machines.
- the data is usable by the virtual machines to obtain the corresponding secrets from the secure storage.
- a component may also encompass other ways of leveraging a device to perform a function, such as, for example, a) a case in which at least some tasks are implemented in hard ASIC logic or the like; b) a case in which at least some tasks are implemented in soft (configurable) FPGA logic or the like; c) a case in which at least some tasks run as software on FPGA software processor overlays or the like; d) a case in which at least some tasks run as software on hard ASIC processors or the like, etc., or any combination thereof.
- a component may represent a homogeneous collection of hardware acceleration devices, such as, for example, FPGA devices.
- a component may represent a heterogeneous collection of different types of hardware acceleration devices including different types of FPGA devices having different respective processing capabilities and architectures, a mixture of FPGA devices and other types hardware acceleration devices, etc.
- FIG. 7 illustrates a general-purpose computing device 700.
- computing device 700 includes one or more processors 710a, 710b, and/or 71 On (which may be referred herein singularly as “a processor 710" or in the plural as “the processors 710") coupled to a system memory 720 via an input/output (I/O) interface 730.
- processors 710a, 710b, and/or 71 On which may be referred herein singularly as “a processor 710” or in the plural as “the processors 710” coupled to a system memory 720 via an input/output (I/O) interface 730.
- I/O input/output
- Computing device 700 further includes a network interface 740 coupled to I/O interface 730.
- computing device 700 may be a uniprocessor system including one processor 710 or a multiprocessor system including several processors 710 (e.g., two, four, eight, or another suitable number).
- Processors 710 may be any suitable processors capable of executing instructions.
- processors 710 may be general-purpose or embedded processors implementing any of a variety of instruction set architectures (ISAs), such as the x77, PowerPC, SPARC, or MIPS ISAs, or any other suitable ISA.
- ISAs instruction set architectures
- each of processors 710 may commonly, but not necessarily, implement the same ISA.
- System memory 720 may be configured to store instructions and data accessible by processor(s) 710.
- system memory 720 may be implemented using any suitable memory technology, such as static random access memory (SRAM), synchronous dynamic RAM (SDRAM), nonvolatile/Flash-type memory, or any other type of memory.
- SRAM static random access memory
- SDRAM synchronous dynamic RAM
- program instructions and data implementing one or more desired functions, such as those methods, techniques and data described above, are shown stored within system memory 720 as code 725 and data 727.
- I/O interface 730 may be configured to coordinate I/O traffic between the processor 710, system memory 720, and any peripheral devices in the device, including network interface 740 or other peripheral interfaces.
- I/O interface 730 may perform any necessary protocol, timing, or other data transformations to convert data signals from one component (e g., system memory 720) into a format suitable for use by another component (e.g., processor 710).
- I/O interface 730 may include support for devices attached through various types of peripheral buses, such as a variant of the Peripheral Component Interconnect (PCI) bus standard or the Universal Serial Bus (USB) standard, for example.
- PCI Peripheral Component Interconnect
- USB Universal Serial Bus
- the function of I/O interface 730 may be split into two or more separate components. Also, in some embodiments some or all of the functionality of I/O interface 730, such as an interface to system memory 720, may be incorporated directly into processor 710.
- Network interface 740 may be configured to allow data to be exchanged between computing device 700 and other device or devices 770 attached to a network or network(s) 750, such as other computer systems or devices as illustrated in FIGS. 1 through 5, for example.
- network interface 740 may support communication via any suitable wired or wireless general data networks, such as types of Ethernet networks, for example. Additionally, network interface 740 may support communication via telecommunications/telephony networks such as analog voice networks or digital fiber communications networks, via storage area networks such as Fibre Channel SANs or via any other suitable type of network and/or protocol.
- system memory 820 may be one embodiment of a computer-accessible medium configured to store program instructions and data as described above for FIGS.
- a computer-accessible medium may include non-transitory storage media or memory media, such as magnetic or optical media, e.g., disk or DVD/CD coupled to computing device 700 via I/O interface 730.
- a non-transitory computer-accessible storage medium may also include any volatile or non-volatile media, such as RAM (e.g. SDRAM, DDR SDRAM, RDRAM, SRAM, etc.), ROM, etc., that may be included in some embodiments of computing device 700 as system memory 720 or another type of memory.
- a computer- accessible medium may include transmission media or signals such as electrical, electromagnetic or digital signals, conveyed via a communication medium such as a network and/or a wireless link, such as may be implemented via network interface 740.
- a communication medium such as a network and/or a wireless link, such as may be implemented via network interface 740.
- Portions or all of multiple computing devices, such as those illustrated in FIG. 7, may be used to implement the described functionality in various embodiments; for example, software components running on a variety of different devices and servers may collaborate to provide the functionality.
- portions of the described functionality may be implemented using storage devices, network devices, or special-purpose computer systems, in addition to or instead of being implemented using general- purpose computer systems.
- the term "computing device,” as used herein, refers to at least all these types of devices and is not limited to these types of devices.
- Computer-readable media as discussed herein may refer to a mass storage device, such as a solid-state drive, a hard disk or CD-ROM drive. However, it should be appreciated by those skilled in the art that computer-readable media can be any available computer storage media that can be accessed by a computing device.
- computer storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program modules or other data.
- computer media includes, but is not limited to, RAM, ROM, EPROM, EEPROM, flash memory or other solid state memory technology, CD-ROM, digital versatile disks (“DVD”), HD-DVD, BLU-RAY, or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the computing devices discussed herein.
- DVD digital versatile disks
- HD-DVD high definition digital versatile disks
- BLU-RAY blue ray
- computer storage medium does not include waves, signals, and/or other transitory and/or intangible communication media, per se.
- Encoding the software modules presented herein also may transform the physical structure of the computer-readable media presented herein.
- the specific transformation of physical structure may depend on various factors, in different implementations of this description. Examples of such factors may include, but are not limited to, the technology used to implement the computer- readable media, whether the computer-readable media is characterized as primary or secondary storage, and the like.
- the computer-readable media is implemented as semiconductor-based memory
- the software disclosed herein may be encoded on the computer- readable media by transforming the physical state of the semiconductor memory.
- the software may transform the state of transistors, capacitors, or other discrete circuit elements constituting the semiconductor memory.
- the software also may transform the physical state of such components in order to store data thereupon.
- the computer-readable media disclosed herein may be implemented using magnetic or optical technology.
- the software presented herein may transform the physical state of magnetic or optical media, when the software is encoded therein. These transformations may include altering the magnetic characteristics of particular locations within given magnetic media. These transformations also may include altering the physical features or characteristics of particular locations within given optical media, to change the optical characteristics of those locations. Other transformations of physical media are possible without departing from the scope and spirit of the present description, with the foregoing examples provided only to facilitate this discussion.
- any reference to “first,” “second,” etc. items and/or abstract concepts within the description is not intended to and should not be construed to necessarily correspond to any reference of “first,” “second,” etc. elements of the claims.
- items and/or abstract concepts such as, for example, individual computing devices and/or operational states of the computing cluster may be distinguished by numerical designations without such designations corresponding to the claims or even other paragraphs of the Summary and/or Detailed Description.
- any designation of a “first operational state” and “second operational state” of the computing cluster within a paragraph of this disclosure is used solely to distinguish two different operational states of the computing cluster within that specific paragraph - not any other paragraph and particularly not the claims.
- Clause 1 A method for deploying, by a deployment function, a virtualized computing environment configured in a user-specific configuration, the virtualized computing environment comprising a plurality of virtual machines, the method comprising: generating a solution definition file (SDF) that defines the user-specific configuration for the deployment; adding, in the SDF, an identifier for each secret to be used by the deployment; generating a schema defining a format for each identifier in the SDF and a format of each of the secrets corresponding to each identifier; storing the secrets to be used by the deployment and corresponding identifiers in a secure storage; deploying the virtual machines in a target computing environment in accordance with the SDF; and sending data indicative of the identifiers in the SDF to the deployed virtual machines, the data usable by the virtual machines to obtain the corresponding secrets from the secure storage.
- SDF solution definition file
- Clause 3 The method of any of clauses 1-2, further comprising validating the received secrets against the schema.
- Clause 4 The method of any of clauses 1-3, wherein the secrets are autogenerated in accordance with the schema.
- Clause 5 The method of any of clauses 1-4, wherein the secrets comprise one or more of passwords, SSH keys, or certificates.
- Clause 6 The method of any of clauses 1-5, wherein the secure storage is a key management system.
- Clause 7 The method of clauses 1-6, wherein the deployment function is configured to: execute as a virtual resource in the virtualized computing environment; execute a series of operations in the virtualized computing environment that coordinate the deployment; and interact with a virtualized infrastructure manager (VIM) and the virtual machines to effect the deployment.
- VIM virtualized infrastructure manager
- Clause 8 The method of any of clauses 1-7, wherein the secrets are a combination of user- provided secrets and autogenerated secrets.
- a system comprising: one or more processors; and a memory in communication with the one or more processors, the memory having computer- readable instructions stored thereupon that, when executed by the one or more processors, cause the system to perform operations comprising: generating a solution definition file (SDF) that identifies a configuration for a deployment of a virtualized computing environment comprising a plurality of virtual machines, the SDF replacing each secret needed for the deployment with an identifier for the secret; generating a schema specifying a format for each identifier for each secret included in the SDF and a format of the secrets, wherein the secrets and corresponding identifiers are stored in a secure storage; deploying the virtual machines in the virtualized computing environment; and sending the identifiers to the deployed virtual machines, the identifiers usable by the virtual machines to obtain the secrets from the secure storage.
- SDF solution definition file
- Clause 10 The system of clause 9, wherein the secrets are received via user input.
- Clause 11 The system of any of clauses 9 and 10, further comprising instructions that, when executed by the one or more processors, cause the system to perform operations comprising validating the received secrets against the schema.
- Clause 12 The system of any clauses 9-11, wherein the secrets are autogenerated in accordance with the schema.
- Clause 13 The system of any clauses 9-12, wherein the secrets are a combination of user-provided secrets and autogenerated secrets.
- Clause 14 The system of any clauses 9-13, wherein the secrets comprise one or more of passwords, SSH keys, or certificates.
- Clause 15 The system of any clauses 9-14, wherein the secure storage is a key management system.
- Clause 16 The system of any clauses 9-15, wherein the deployment is managed by a deployment tool configured to: execute as a virtual resource in the virtualized computing environment; execute a series of operations in the virtualized computing environment that coordinate the deployment; and interact with a virtualized infrastructure manager (VIM) and the virtual machines to effect the deployment.
- a deployment tool configured to: execute as a virtual resource in the virtualized computing environment; execute a series of operations in the virtualized computing environment that coordinate the deployment; and interact with a virtualized infrastructure manager (VIM) and the virtual machines to effect the deployment.
- VIP virtualized infrastructure manager
- a computer-readable storage medium having computer-executable instructions stored thereupon which, when executed by one or more processors of a system, cause the system to: generate a solution definition file (SDF) that identifies a configuration for a deployment of a virtualized computing environment comprising a plurality of virtual machines, the SDF replacing each secret needed for the deployment with an identifier for the secret; generate a schema defining a format for each identifier for each secret included in the SDF and a format of the secrets; store the secrets and corresponding identifiers in a secure storage; deploy the virtual machines in the virtualized computing environment; and send the identifiers to the deployed virtual machines, the identifiers usable by the virtual machines to obtain the secrets from the secure storage.
- SDF solution definition file
- Clause 18 The computer-readable storage medium of clause 17, wherein the secrets are autogenerated in accordance with the schema.
- Clause 19 The computer-readable storage medium of any of the clauses 17-18, wherein the secrets are received via user input and the received secrets are validated against the schema.
- Clause 20 The computer-readable storage medium of any of the clauses 17-19, wherein the secure storage is a key management system.
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Stored Programmes (AREA)
Abstract
Description
Claims
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202280057912.5A CN117859129A (en) | 2021-09-09 | 2022-08-18 | Secret management in a virtual environment deployment process |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US202163242439P | 2021-09-09 | 2021-09-09 | |
US63/242,439 | 2021-09-09 | ||
US17/539,161 US20230073812A1 (en) | 2021-09-09 | 2021-11-30 | Management of secrets during deployment of virtual environment |
US17/539,161 | 2021-11-30 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2023038768A1 true WO2023038768A1 (en) | 2023-03-16 |
Family
ID=83280551
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2022/040680 WO2023038768A1 (en) | 2021-09-09 | 2022-08-18 | Management of secrets during deployment of virtual environment |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2023038768A1 (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180083937A1 (en) * | 2016-09-16 | 2018-03-22 | Pivotal Software, Inc. | Credential management in cloud-based application deployment |
US20200177591A1 (en) * | 2018-11-29 | 2020-06-04 | Microsoft Technology Licensing, Llc | Streamlined secure deployment of cloud services |
US20200319905A1 (en) * | 2019-04-02 | 2020-10-08 | International Business Machines Corporation | Metadata service provisioning in a cloud environment |
-
2022
- 2022-08-18 WO PCT/US2022/040680 patent/WO2023038768A1/en active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180083937A1 (en) * | 2016-09-16 | 2018-03-22 | Pivotal Software, Inc. | Credential management in cloud-based application deployment |
US20200177591A1 (en) * | 2018-11-29 | 2020-06-04 | Microsoft Technology Licensing, Llc | Streamlined secure deployment of cloud services |
US20200319905A1 (en) * | 2019-04-02 | 2020-10-08 | International Business Machines Corporation | Metadata service provisioning in a cloud environment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112119374B (en) | Selectively providing mutual transport layer security using alternate server names | |
US11625281B2 (en) | Serverless platform request routing | |
Ismail et al. | Evaluation of docker as edge computing platform | |
US10666517B2 (en) | End-to-end automated servicing model for cloud computing platforms | |
US11429353B1 (en) | Dynamic service provisioning using templatized infrastructure resources | |
BR112017000110B1 (en) | METHOD IMPLEMENTED BY COMPUTER, COMPUTER SYSTEM AND MEMORY DEVICE FOR SELF-EXPANING CLOUD | |
US20130227089A1 (en) | Building virtual machine disk images for different cloud configurations from a single generic virtual machine disk image | |
US11539678B2 (en) | Asymmetric key management for cloud computing services | |
US20220255966A1 (en) | Method and System for Secure Container Application Framework | |
US10324701B1 (en) | Rapid deployment of computing instances | |
US20220116335A1 (en) | End-to-end network slicing (ens) from ran to core network for next generation (ng) communications | |
US11910486B2 (en) | Commit sets in a Kubernetes environment | |
US20190324861A1 (en) | Backup and restore validation | |
WO2022231701A1 (en) | Controller for off-cluster operations | |
Barkat et al. | Open stack and cloud stack: Open source solutions for building public and private clouds | |
US11831501B2 (en) | Virtual network function descriptor generator | |
US20230073812A1 (en) | Management of secrets during deployment of virtual environment | |
WO2023038768A1 (en) | Management of secrets during deployment of virtual environment | |
US20220247653A1 (en) | Early deployment connectivity testing | |
WO2022170157A1 (en) | Method and system for secure container application framework | |
US20220353134A1 (en) | Virtual network function upgrade tool | |
US11977926B1 (en) | Deployment of pod cohorts | |
Beranek et al. | Framework for Management of Multi-tenant Cloud Environments | |
US11893373B2 (en) | Exposure and de-duplication of input parameters for complex Helm chart deployment | |
US20230037986A1 (en) | Autoencryption system for data in a container |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22769018 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 202280057912.5 Country of ref document: CN |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2022769018 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2022769018 Country of ref document: EP Effective date: 20240409 |