deployment of vault itself?
we did a poc earlier this year and did
envconsul as PID1 in our containers
envconsul is like
chamber for vault)
I deployed Vault itself with the community Helm chart (had to heavily modify it, which wasn’t an ideal experience). The first issue is that Vault needs to be initialised (if it’s the first time you are deploying it), and also unsealed. These steps are tricky to automate, which makes having ephemeral Vaults a challenge (cloud backed auto-unseal is not an option, HSM might be, but not right now).
cloud backed auto-unseal is not an option
it is now - was just released to CE
maybe not supported by terraform modules yet
supports KMS based unsealing
The second issue is deploying configuration such as policies, auth methods etc. Right now we’re using Terraform, but authenticating is a problem.
Yeah, I know it exists, that’s why I’m saying it’s not an option for us - we’re running on prem.
Heavily regulated financial environment. It’s a thing.
heh, I bet.
@justin.dynamicd might have more to contribute
hmm, I’ve stored the root tokens for auto unseal before in an HSM, that the Vault nodes have read access to
This wasn’t a kubernetes/helm deployment.
It was a complex PCI environment (AWS) and Vault was in usage for the PKI backend. HA Vault instances came up, auto init, unseal, create their own certs for TLS between clients and them, and then start doling out certs to instances in the environment as they come up
i was messing around to make on for terraform fmt
Heads up about: https://github.com/hashicorp/terraform-github-actions
GitHub Actions For Terraform. Contribute to hashicorp/terraform-github-actions development by creating an account on GitHub.
Niiice , what about docker layer caching and actions, if that works it would be just awesome.
@mumoshu has joined the channel