Interview

Panel: Kubernetes & HashiCorp First-Class Experience

Join us for a panel discussion around various HashiCorp products' support for Kubernetes with Narayan Iyengar, Jason O'Donnell, and Phil Sautter from HashiCorp.

Join us for a panel discussion around various HashiCorp products' support for Kubernetes with Narayan Iyengar, Jason O'Donnell, and Phil Sautter from HashiCorp.

Transcript

Rob Barnes: Thank you very much, Jason. That was absolutely amazing. I really, really enjoyed that. So now we're going to move to another live discussion panel, which is going to be a Kubernetes discussion panel. So for that, I would like to welcome Narayan Iyengar from our Vault Ecosystem team and Phil Sautter from the Terraform Ecosystem team. Thank you very much for joining us guys and welcome. And just before I pass over to Domi, I just want to say, please, please get involved in the conversation, do ask any questions that you have four Narayan or Phil on the platform, or be sure to try and get those answers by them. So thank you very much. Over to you Dom.

Dominique Top: Thank you. Welcome gentlemen. I'm just going to kick us right off. In the last panel, we touched a little bit on Consul. We can do, you would have this federation of clusters with Consul, which is pretty cool. What do Terraform and Vault bring to the table? Let's start with Narayan.

Narayan Iyengar: Yeah. So Terraform just provides a very rich language as we have a Terraform provider for Vault, which allows you to not only using the Terraform modules installed Vault, but also configure Vault, as you need. So the flow could be that you use Helm to install Vault onto Kubernetes clusters, but then you use the Terraform provider to configure it and maintain it on an ongoing basis.

Dominique Top: Cool.

Phil Sautter: Yeah, and to piggyback on that, right? Yeah. So, one of the big values of Terraform in general, Kubernetes or not, is a consistent workflow across all of your infrastructure. And we've extended that into Kubernetes as well with first-class Kubernetes support. So we have the Kubernetes provider and we also just recently released the kubernetes-alpha provider, which basically covers all the resources that Kubernetes has to offer. And we also have the Kubernetes, I'm sorry, the Terraform operator for Kubernetes, which allows you to provision infrastructure resources using CRDs in the Kubernetes control plane.

Dominique Top: Awesome. Thank you very much. I want to see if there's some questions from the audience. Rob, did we get anything?

Rob Barnes: Thank you very much, Dom, at the moment, no. Audience, please, if you have any questions or any comments you'd like to make, please do get involved and ask the questions on the platform. But for now there's nothing. Back to you, Domi.

Dominique Top: All right. That's not a problem. So I also want to ask this to the audience, but to either of you two, what are the challenges you face with provisioning on Kubernetes and what can we do to make it better? That's kind of the question on this one.

Narayan Iyengar: That's an interesting question. And we have a meetup, I'm hosting a meet up tomorrow, so it should be on the schedule. And we are definitely looking for feedback that people have encountered. One of the biggest challenges that we had heard was getting involved up and running in a Kubernetes cluster while the Enterprise specifically. We had a Helm chart that wouldn't allow you to install Vault open source, but more and more customers are looking to install Vault Enterprise. So we have made a number of improvements into the Helm chart. Vault and Console teams have, actually now we have our own official Helm repo, so it makes installation of Vault and Console into Kubernetes a two step process, add the repo in a Helm install and you're up and running Vault Helm and the Vault Agent Injector like you saw in the previous talk have been really carefully written to make that operating experience really, really easy. And also the consumption of the secrets part should be really, really easy for end users.

Dominique Top: Amazing. Thank you. I've heard just from our little elves in the studio that we've got some audience questions that have come in, Rob over to you.

Rob Barnes: Thank you very much. Yeah. We have one, which is a really, really good question. And the question is, is running Vault Enterprise on Kubernetes recommended for production? I've written so many blog articles about this very question over time. So yeah, I'd like to fling that over to Narayan, please.

Narayan Iyengar: Yeah, absolutely. We, as I said, we do officially support running Vault Enterprise on Kubernetes. And as Jason pointed out in the previous talk, there are some security considerations that you have to make as with running Vault on any platform. So there's production hardening guides that you have to follow, security best practices from the cloud provider or the platform provider that you have to follow. But other than that we absolutely support Vault Enterprise running on Kubernetes.

Rob Barnes: Amazing. Thank you. We have another question which is, when could Vault be available on HCP?

Narayan Iyengar: Good question. And I think as touched on the keynote, soon. I can't give you a much more concrete answer, but soon.

Jason O'Donnell: Amazing. Thank you. So another one is, can we have more info on the Terraform Kubernetes provider, please? This one is probably for Phil.

Phil Sautter: More info, sure. So, we cover many of the Kubernetes resources in the Kubernetes provider that we've had around for a while. One of the things that clearly we've been lacking is this custom resource, custom resource definition support, which we just added in the kubernetes-alpha provider longterm, or I guess medium term. We do hope to actually merge these two providers into one and add the kubernetes-alpha manifest resource into the Kubernetes provider, which would give full coverage in a single provider. It's an alternative to YAML, right? It's much simpler, in my opinion, syntax. Much cleaner and easier to look at. And again, it provides that common workflow. We also have the Helm provider. I know this question was about the Kubernetes provider, but I want to promote the Helm provider as well as a way to get all the Kubernetes workflows into Terraform.

Rob Barnes: Brilliant. Thank you very, very much. We have another one. What's the best practice for managing secrets for multiple environments? Can I somehow achieve identical deployments deferring only by environment variables or annotation and reuse the template which dynamically uses different paths in Vault based on the var That one I'll fling to Narayan.

Narayan Iyengar: Yeah, that's an interesting question. And that may need a little bit more digging into the nuances of how you're setting up different environments. So feel free to reach out or come over to the meetup tomorrow and we will have some other experts on there as well. They'd be able to kind of dig deeper and help you sort out that answer.

Rob Barnes: Brilliant. Thank you very much. And just on that one there, I will also say just in case some of you aren't aware, we have the discuss hashicorp.com platform. So if you have any kind of deep technical questions that you have, you can always head over there and ask that in the future, but for now we're at the conference. So ask any questions in here and then do attend the meetups and that'd be absolutely amazing. Thank you very much over to you, Domi.

Dominique Top: All right. I do have one more question. Well, I think I've got, yeah, I've one really important question. Could you tell me what you see as the future for HashiCorp products and Kubernetes, Phil?

Phil Sautter: Oh, wow. That is quite the question. And if I had to look into my crystal ball, which I don't have, I think operators are more in our future, tighter integrations with Kubernetes, better integration with multi-cluster. I think that the industry is moving towards Kubernetes world and so where are we.

Dominique Top: Awesome. Do you have anything to add, Narayan? What's your vision?

Narayan Iyengar: Yeah. I mean, you were spot on Phil, HashiCorp itself has taken a Kubernetes first stance. HashiCorp joined the CNCF last year. As you can see that Vault, especially, has done a lot of work around making installation evolved and consuming secrets from Vault within Kubernetes, extremely easy. And we're going to keep doubling down on those efforts and improve that experience as time goes on.

Dominique Top: Amazing. Yeah, I think it's one of those things where people assume that because GUI entities is not part of our stack, that there is no place for it within the stuff that we make and we use, but I feel like this is an important example of how this is actually as welcome as many of the things that we have. Just going over to Rob again, we have some more questions?

Rob Barnes: We do. Yeah. I love this question. I absolutely love this question. I'm not trying to call this person's name out because it's a good one. So this is Anton Bubanco. I hope I've pronounced your name properly. And the question is, are there any, including hacky ways to not catch secrets in Terraform state when they are fetched using a Vault provider? So I'll fling that one over to Phil.

Phil Sautter: I actually think that's a better one for Narayan. I don't really have a good answer for that, to be honest.

Narayan Iyengar: Not at the moment today, but we're definitely working on improving the Terraform provider to provide a much more robust experience with fetching secrets involved. And I know I personally am working with the Terraform team as well to see how we can make that experience better. Yeah. Sorry, not a better answer today, but it's coming.

Rob Barnes: No problem. Thank you very, very much for that. We have another one here. So it's, would you consider supporting certificate pinning with mutual TLS? For example, not only will Vault accept a connection from a trusted client, but it will additionally inspect the certificate for specific fields, like subject DM or CERT serial number? That one's Narayan, I think.

Narayan Iyengar: Yeah. I mean, we haven't heard that request before. So as Rob mentioned, just definitely do mention it in the discuss forum and we'll definitely or post an issue on GitHub and we'll definitely take a look at it and see how we can better support certificate pinning.

Rob Barnes: Amazing. Thank you. And just to kind of pin onto that myself, I think somebody announcements that we've heard today, just really just show that we do listen to the community and their wants and needs, and we do use that in our feature development. So I'll just echo what Narayan said, and please do raise that on discuss or on GitHub by raising the issue. We have another question here, and this is, should folks use Consul storage or Vault integrated storage when deploying Vault Enterprise on k8s? Brilliant question. Narayan?

Narayan Iyengar: I mean the answer is your choice. There are definitely trade offs between Consul and integrated storage. I mean, just to say that Consul as a storage backend for Vault is battle tested. It has been deployed in production and that scale at many, many large enterprises. Integrated storage just went GA and we're still adding new features and bringing it up to speed with some of the features of Consul. But as I said, there are trade offs that you have to consider. Console you have to have a separate cluster you have to manage, but integrated storage you have to look at faster disks with more IOPS because it's using the underlying disc. So definitely trade offs. And it's a personal preference, I would say.

Rob Barnes: Amazing. Thank you very much. We have one more, which is where do you store the state of Terraform when using it to configure Vault? Is it a chicken and egg problem? Again, another favorite of mine I'm going to, the person's called RCM. I'm not quite sure who that is, but it's a brilliant question. And I'm going to probably throw it out to Phil to start off with, but I'd like to hear both your thoughts on that one there.

Phil Sautter: Yeah. I mean, I can't speak much to the Vault part, but there's a lot of different options for storing your Terraform state, right? So we've got Terraform cloud as a remote storage. And then basically in the cloud provider of your choice there is likely a backend to store your state. And there's many other options. Actually, you can look in our documentation and we've got quite a number of upstate backend storage options.

Rob Barnes: Brilliant. [crosstalk 00:14:28]

Phil Sautter: For the Vault part of the question, I'll throw it over to Narayan.

Narayan Iyengar: Was the question on how you store the Terraform state for Vault deployments, was that the more specific question, Rob?

Rob Barnes: I believe so. Yeah. So basically if you're trying to sort of configure Vault with Terraform, then you kind of have a chicken and egg problem, I guess is the gist of the question. That's a really good question.

Narayan Iyengar: Yeah. I mean, I don't think deploying Vault using Terraform follows in either strange deployment pattern. It's considered as far as Terraform is concerned, it's another resource that is deployed. So any way you manage state, Terraform state today, whether it's Terraform cloud or on-premises or cloud backend, I think it's the same way. Do we manage Vault state as well.

Dominique Top: All right. I think that's it. We're out of time. Thank you so much, Narayan, Phil. It was amazing to learn more about this. If you want more information tomorrow, they'll have a meet up. You can see that up there somewhere to sign up. We have to get on to the next one. That will be the last session on the main track today. That's Kristin Laemmert from our Terraform engineering team to talk about the path to Terraform 1.0, and as Rob said earlier, we've been very much looking forward to this. So I'm really excited to hear what Kristen has to say about this. Stay tuned.

More resources like this one

Vault identity diagram
  • 12/28/2023
  • FAQ

Why should we use identity-based or "identity-first" security as we adopt cloud infrastructure?

  • 3/15/2023
  • Presentation

Advanced Terraform techniques

  • 3/15/2023
  • Case Study

Using Consul Dataplane on Kubernetes to implement service mesh at an Adfinis client

  • 3/14/2023
  • Article

5 best practices for secrets management