Egg vs chicken — Ansible Vault vs Hashicorp Vault vs Kubernetes Secrets

Hashicorp Vault vs kubernetes Secrets

  • Which one bootstrap the other ?
  • Which one has the highest authority to store secrets ?
  • The mindset of delivering everything thru CI/CD pipelines.
  • Releasing our Kubernetes applications thru Helm charts.

Let’s explore how many CI/CD pipelines we have, then, we will conclude the communication flow among Vault systems

CI/CD — Helm Charts

  • CI/CD system fetches secrets from Hashicorp Vault thru REST calls . Indeed, Vault is an API-based application.
  • CI/CD system forwards this values to the command helm upgrade myrelease private/mychart -f mysecrets.yaml
  • Helm forwards these values to the right YAML templates (kind: Secret).
  • Helm generates the computed manifests and apply changes ( helm install or helm upgrade by sending them to the Kubernetes api-server ( or delegate to Tiller with helm2 ).
CI/CD helm charts

CI/CD — Cluster Computing Nodes

  • CI/CD stores Ansible vaultkey (master key) and inject it after checking out playbooks from the source control system (git)
  • CI/CD calls ansible-playbook to provision the Cluster
  • Idempotently, ansible makes sure that the Cluster up and running.
CI/CD — Cluster
playbook provisions the whole kubernetes cluster

CI/CD — Infrastructure

But how do we create these computing resources ?

  • CI/CD makes Credentials of Cloud provider available.
  • CI/CD executes terraform apply.
  • Terraform compares the actual infrastructure with the desired one, detects differences then applies them.
main.tf — Terraform main file

Big Picture — Putting all together

All together 😎
  • Before installing Hashicorp Vault, you can rely on the CI/CD system to store some credentials needed for bootstrapping everything until having Hashicorp Vault up & running. With Jenkins, Credentials management component is your friend. With Bamboo, Bamboo Specs Encryption is what you need.
  • After installing Hashicorp Vault, all subsequent secrets must be saved on it. Optionally, bootstrap credentials can be migrated from CI/CD store to Hashicorp Vault for consistency.

Bonus:

Conclusion

Related:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Abdennour Toumi

Abdennour Toumi

Software engineer, Cloud Architect, 5/5 AWS|GCP|PSM Certified, Owner of kubernetes.tn