Flux7 Take: HashiCorp News & DevOps Best Practices
At the recent HashiConf 2017 here in Austin, HashiCorp announced several updates and new features that we are pretty excited about. If you are a regular follower of this blog, you know that we’ve become heavy users of many HashiCorp tools of the past few years as they excel at helping further DevOps automation for greater efficiency, security and productivity. Today we’re going to share with you which new announcements we’re most excited about and why.
Terraform Module Registry
Over our last several projects, we’ve become heavier Terraform users to automate infrastructure provisioning. As an open source tool, Terraform allows you to build, change and version infrastructure via configuration files. These configuration files describe the components you need to run anything from the simplest application to entire infrastructures.
New is the Terraform Module Registry that gives admins example infrastructure templates which will make provisioning even easier. This public repository of templates for common infrastructure patterns and popular services can help you define infrastructure as code in AWS and other popular cloud platforms. There are two types of modules available in the Module Registry: Verified modules, which are certified and compatibility tested by HashiCorp, and community modules which can be contributed by anyone but aren’t HashiCorp validated.
Flux7 Take: If you read our recent blog about Terraform, you know that we like its modular approach, which makes it easy to write reusable code. So, it’s probably not a surprise that we also like the Module Registry as it creates a central repository for community members like Flux7 to publish best practices modules directly from GitHub. In this way, the module registry and the ability to create modules takes self-service infrastructure to the next level, further helping codify best practice builds.
Brand new is Sentinel, which HashiCorp touts as a new policy as code framework that integrates across its Enterprise product suite, including the aforementioned Terraform Module Registry. It enables teams to codify those policies to be complied with — from IT guardrails to business requirements, legal compliance, and more — by actively enforcing these policies in running systems. Sentinel is comprised of several components: a new policy-oriented language, embedded runtime, development simulator, and plugin SDK.
Flux7 Take: Just as DevOps automation provides teams with the power to significantly increase productivity and efficiency, it can also pose risk when executed incorrectly. Policy as code is important in ensuring that teams remain within the appropriate guardrails in these cases, allowing them to safely and securely scale their infrastructure. At Flux7, we advocate the use of inspectors as part of an Enterprise DevOps model where guardrails can be monitored and enforced. Thus allowing teams to extend infrastructure automation to more admins, helping ease skill gaps with the assurance that infrastructure is following defined policy.
We also like that Sentinel treats policy like an application, using real programming constructs to define policies. Moreover, Sentinel’s ability to alert and reject actions is quite helpful in enforcing a risk-based policy approach. We wish that Sentinel were also integrated with HashiCorp’s open source tools, but that said, it does make for a powerful draw to upgrade to HashiCorp’s enterprise products.
Vault is HashiCorp’s automated secret management platform that provides an interface to static secrets in encrypted form as well as dynamic secrets with tight security controls. Vault can dynamically — automatically and on demand — create secrets for things like passwords or keys. New to HashiCorp Vault is support for Kubernetes. This native integration extends secrets management to Kubernetes without additional integration components or requirements.
Flux7 Take: The demand from organizations for automated, centralized credential management has not slowed. And as Kubernetes gains popularity across enterprises, the extension of Vault to the container orchestration system is important. With native integration, Vault can now seamlessly inject secrets into Kubernetes clusters to keep things moving at full speed. Vault is a highly recommended injector in the Flux7 Enterprise DevOps Framework as it allows admins to have their service and configuration information available for services to pull when needed.
In addition to the above, it also worth noting is that HashiCorp announced updates to Consul open source, improving its Access Control List (ACL) system, making bootstrapping and configuring ACLs easier. They also announced a beta of their scheduler, HashiCorp Nomad 0.7, which will include an access control system to help operators limit access to APIs and jobs. And, it will feature an integrated graphical user interface to explore the status of jobs, task groups, tasks and allocations. We look forward to seeing both of these improvements.