TWIL: April 3, 2022
This Week I Learned about using HashiCorp Vault for secret management and Flex CD for GitOps in Kubernetes. I also highlight two interesting podcasts: one on Azure Marketplace and another one on Flutter for Windows, by the usual suspects. I hope you find them interesting.
Episode 418: Azure Marketplace
We have a wonderful discussion with David Starr, a Principal Software Engineer from the Commercial Marketplace Services team (and fellow hoster of his own Podcast) to talk about the services available to ISVs and customers to get their cloud applications and solutions visibility via the Azure Marketplace so then can monetize them. We discuss Azure Managed Apps, App Source and various technical and business details around these services.
Episode 1784: Flutter for Windows with Chris Sells
Flutter comes to Windows! Carl and Richard talk to Chris Sells about the latest incarnation of Flutter which now has desktop support for Windows. Flutter has been around for a few years helping to build mobile apps in iOS and Android with a unified codebase. But now it also supports deployment as a web app, and as a Windows app, and soon, MacOS and Linux. Chris talks about how Flutter provides for hardware abstraction that has allowed the ecosystem to support even more platforms, and build libraries to take Flutter in all sorts of directions.
Kubernetes Deployment vs StatefulSet: Which is Right for You?
A Deployment is a Kubernetes resource object used for declarative application updates. Deployments allow you to define the lifecycle of applications, including the container images they use, the number of pods and the manner of updating them. Like Deployments, StatefulSets manage the pods based on the same container specifications. However, they differ from deployments in that they maintain sticky identities for each pod. Pods may be created from an identical spec, but they are not interchangeable and are thus assigned unique identifiers that persist through rescheduling.
What is Vault?
Vault is an identity-based secrets and encryption management system. A secret is anything that you want to tightly control access to, such as API encryption keys, passwords, or certificates. Vault provides encryption services that are gated by authentication and authorization methods. Using Vault’s UI, CLI, or HTTP API, access to secrets and other sensitive data can be securely stored and managed, tightly controlled (restricted), and auditable.
HashiCorp Vault: Architecture
Vault is a complex system that has many different pieces. To help both users and developers of Vault build a mental model of how it works, this page documents the system architecture.
HashiCorp Vault: Kubernetes
Vault can be deployed into Kubernetes using the official HashiCorp Vault Helm chart. The Helm chart allows users to deploy Vault in various configurations: Dev, Standalone, High-Availability or External.
HashiCorp Vault: Agent Injector vs. Vault CSI Provider
This document explores two different methods for integrating HashiCorp Vault with Kubernetes. The information provided is intended for DevOps practitioners who understand secret management concepts and are familiar with HashiCorp Vault and Kubernetes. This document also offers practical guidance to help you understand and choose the best method for your use case.
HashiCorp Vault: Agent Sidecar Injector
The Vault Agent Injector alters pod specifications to include Vault Agent containers that render Vault secrets to a shared memory volume using Vault Agent Templates. By rendering secrets to a shared volume, containers within the pod can consume Vault secrets without being Vault aware.
HashiCorp Vault: Annotations
The following are the available annotations for the injector. These annotations are organized into two sections: agent and vault. All of the annotations below change the configurations of the Vault Agent containers injected into the pod.
HashiCorp Vault: Authentication Methods
Auth methods are the components in Vault that perform authentication and are responsible for assigning identity and a set of policies to a user. In all cases, Vault will enforce authentication as part of the request processing. In most cases, Vault will delegate the authentication administration and decision to the relevant configured external auth method (e.g., Amazon Web Services, GitHub, Google Cloud Platform, Kubernetes, Microsoft Azure, Okta …).
HashiCorp Vault: Authentication
Authentication in Vault is the process by which user or machine supplied information is verified against an internal or external system. Vault supports multiple auth methods including GitHub, LDAP, AppRole, and more. Each auth method has a specific use case.
HashiCorp Vault: External Storage
The storage stanza configures the storage backend, which represents the location for the durable storage of Vault’s information. Each backend has pros, cons, advantages, and trade-offs. For example, some backends support high availability while others provide a more robust backup and restoration process.
Vault on Kubernetes Deployment Guide
This deployment guide covers the steps required to install and configure a single HashiCorp Vault cluster as defined in the Vault Reference Architecture. Although not a strict requirement to follow the Vault Reference Architecture, please ensure you are familiar with the overall architecture design.
Vault on Kubernetes Reference Architecture
This document outlines a reference architecture for deployment of HashiCorp Vault in the context of the Kubernetes cluster scheduler. Those interested in deploying a Vault service consistent with these recommendations should read the upcoming Vault on Kubernetes Deployment Guide which will include instructions on the usage of the official HashiCorp Vault Helm Chart.
Istio Service Mesh
Istio: How to use Sticky Sessions
The idea behind sticky sessions is to route the requests for a particular session to the same endpoint that served the first request. With a sticky session, you can associate a service instance with the caller based on HTTP headers or cookies. You might want to use sticky sessions if your service is doing an expensive operation on the first request but cache the value for all subsequent calls. That way, if the same user makes the request, the costly operation will not be performed, and value from the cache will be used.
Flux: Get Started
This tutorial shows you how to bootstrap Flux to a Kubernetes cluster and deploy a sample application in a GitOps manner.
This guide walks you through setting up Flux to manage one or more Kubernetes clusters.
Podinfo is a tiny web application made with Go that showcases best practices of running microservices in Kubernetes. Podinfo is used by CNCF projects like Flux and Flagger for end-to-end testing and workshops.
Have an awesome week!