A place for non-work-related flimflam, faffing, hodge-podge or jibber-jabber you’d prefer to keep out of more focused work-related channels.
Has anyone used Hashicorp Boundary in place of a traditional VPN? It looks pretty nifty, but I would love to hear some experiences from people who have used it before
My main questions is:
• From a day-to-day perspective of the developers at my company, how annoying is it to use compared to other VPN software But any other thoughts are welcome
Hi @David. The feedback I’ve heard about Boundary is that it’s not quite a full product yet. Two other companies to look at are StrongDM and Teleport. If you want something open source then checkout Teleport: https://github.com/gravitational/teleport In full disclosure I work for Teleport.
Certificate authority and access plane for SSH, Kubernetes, web applications, and databases - GitHub - gravitational/teleport: Certificate authority and access plane for SSH, Kubernetes, web applic…
It’s hard to say whether Boundary is a full solution for someone without knowing the requirements. @David, could you describe what your developers need to do? Are there specific constraints?
As a bit of history, Boundary was initially supposed to be an extension to Vault, but as the design fleshed out, it made sense to make it its own product. So things like certificates and secrets require an integration with Vault (or something else), but those capabilities exist and the integrations are real.
All that said, it is a new product that’s been out for around a year now, so it’s possible it’s missing a requirement you have at this point.
@Jake Lundberg (HashiCorp) We have two main use cases:
• protect internal only sites (dev/staging sites). Right now we use public DNS for these, but with AWS Cognito protecting them. It would be nice to use private DNS and expose them through Boundary if possible
• We are setting up a Hashicorp Vault cluster in all envs, and right now in our testing it is on public DNS. Ideally, I would want to force our devs to use something like Boundary to connect to Vault.
What kind of authentication are you using? (LDAP/AD, Okta, Auth0)?
AWS IAM auth to Vault right now
We are looking at Okta in the future
Boundary doesn’t currently have an IAM auth method. It looks like generic OIDC is the main method with examples of Auth0, Okta and Azure AD as providers. You could use any OIDC provider though, you’d just have to setup the Boundary application on your own.
There is a basic username/password auth method, but I wouldn’t use that outside of admin functions or concept testing.
Do your users login to Vault using IAM credentials?
yeah, almost all vault communication is done via the CLI/SDK, so in general it works pretty well.
vault print token | pbcopy is used when we want UI access
I see. Hrm, well, for now that won’t work, but if you have Okta (or other OIDC) soon, you can use it. There will be other auth methods, though I’m not sure AWS IAM will one in the short term.
I haven’t seen anyone actually use Boundary to connect to Vault, but I can’t see a reason this wouldn’t work. You could configure any credential store/library integration with Vault, so you could feasibly just use OIDC to authenticate to Boundary and have Vault return a token scoped for that particular user/group. This would be transparent to the user though, they wouldn’t actually see the Vault token they’d just get a connection via Boundary.
That would be nice. And that token would refresh as long as the user was connected to boundary?
Yes, Boundary manages the credentials used to connect to any endpoints and stores them for the user. You can do interesting things like dynamic database credentials as well. So Vault would create temporary U/P for the target database and Boundary would connect using those credentials. The intent is that the user shouldn’t even know network or secret details for the connection.
Connection pooling probably isn’t an issue here as these are user connections.
Warning: The documentation still has a long way to go. I found the following link helpful:
Learn the standard operational tasks to manage and configure your Boundary environment.
It took me a bit to actually find HOW to configure the auth methods.
a must read - https://insights.stackoverflow.com/survey/2021
@Erik Osterman (Cloud Posse) I would love to see this in office-hours where can get some feedback about the results from the gang there
for example aws trends and devops, also terraform are among popular options
what specifically did you find interesting in this one?
Does anyone know how can I get sweetOps t-shirt/hoodie? I see the merch page only contains mugs and laptop stickers
Hi, has anyone tried the new Apple M1? Any noticeable problems or applications that don’t work?
It looks like VirtualBox isn’t supported yet
I got one issued for work, not worth it atm imo
qemu-system-aarch64 eat 4 GB of RAM and crash everything, had to restart to fix, not everything plays nice with the emulation, having 2 terminals is a pain in the arse etc
I don’t really see what the big win is with M1 over an Intel based Mac, I didn’t find the Intel based Mac slow so
Why are 2 terminals needed?
haven’t need to use both but it’s just another minor annoying thing to have to deal with, ensuring the rosetta terminal is used. I’m yet to see what the gain is exactly shifting to M1
I haven’t managed to get
minikube to work on it with brew,
kind works so at least there is an alternative.
so far it’s just a list of minor drawbacks for, as far as I can tell, no real gain. None of it has been a showstopper so far and I’m sure support will get better with time etc
the M1 allows me to work all day without plugging into power. It’s what I’ve been wanting for 20 years
the only thing that doesn’t work is Virtualbox ( and probably never will ). Parallels does work though. There is a Vagrant Provider for Parallels but requires you use the Business Version or something
the M1 allows me to work all day without plugging into power. It’s what I’ve been wanting for 20 years I guess I just don’t have a need for this? I am never without any kind of plug for 8 - 10 hours. It’s certainly an improvement don’t get me wrong, it just doesn’t really add much value for me at least.
sure - understand!
use cases vary of course
Totally! It’s definitely an improvement and it could be a deal breaker for someone else!
cloudposse/geodesic wont work on m1 yet but there is an open issue on it to implement it
Have an M1 MBP on order to try out and our use-case is very VM heavy, so interested to see how it all performs.
I would like to create an internal course (up to a month of content) for onboarding new developers. What would be a good platform for something like this that is internal to a company?
Github Learning Labs look promising, but the support surrounding them is suspect
you might think about using katacoda for preconfigured environments along with the course content. its all/mostly markdown from what i understand. https://www.katacoda.com/create
You could combine that with an internally accessible video platform if you want to put video along with the text and compute environments.
Otherwise, look into a self hosted learning management system: https://medevel.com/14-learning-management-systems-lms/
Learn the latest technologies with our hands-on labs
A Learning Management System (LMS) is a system designed to manage educational resources and users such as students and instructors. LMS systems have been around for the l
I ended up creating an internal codelab site: https://github.com/googlecodelabs/tools with around 20 codelabs and then made a few Notion documents with a calendar for which codelabs/other resources should be done on each day. It went well
Codelabs management & hosting tools
oh hey @Erik Osterman (Cloud Posse) i just sent you a linkedin message, but figured i would ping on slack as well - folks on my team at hashicorp are looking for a devops practice to refer out to. i’m not a decisionmaker/authorized to represent the org i work for, but i’m more than willing to make introductions and put y’alls name in the hat if you are experienced with the particulars of consul deployments