#release-engineering (2018-12)

Anyone working with Hashicorp Vault? Keen to hear how you tackle the deployment pipeline.

deployment of vault itself?

also, vault+helm

we did a poc earlier this year and did envconsul as PID1 in our containers

(envconsul is like chamber for vault)

I deployed Vault itself with the community Helm chart (had to heavily modify it, which wasn’t an ideal experience). The first issue is that Vault needs to be initialised (if it’s the first time you are deploying it), and also unsealed. These steps are tricky to automate, which makes having ephemeral Vaults a challenge (cloud backed auto-unseal is not an option, HSM might be, but not right now).

cloud backed auto-unseal is not an option

it is now - was just released to CE

maybe not supported by terraform modules yet

supports KMS based unsealing

The second issue is deploying configuration such as policies, auth methods etc. Right now we’re using Terraform, but authenticating is a problem.

Yeah, I know it exists, that’s why I’m saying it’s not an option for us - we’re running on prem.

ohhhhhhhh

on prem

Heavily regulated financial environment. It’s a thing.

heh, I bet.

@justin.dynamicd might have more to contribute

hmm, I’ve stored the root tokens for auto unseal before in an HSM, that the Vault nodes have read access to

This wasn’t a kubernetes/helm deployment.

It was a complex PCI environment (AWS) and Vault was in usage for the PKI backend. HA Vault instances came up, auto init, unseal, create their own certs for TLS between clients and them, and then start doling out certs to instances in the environment as they come up

https://developer.github.com/actions/changes/2018-12-18-limited-public-actions/

nice

has anyone created a useful GitHub Action?

i was messing around to make on for terraform fmt

Niiice , what about docker layer caching and actions, if that works it would be just awesome.

@mumoshu has joined the channel