HashiCorp looks into easier secret management for Kubernetes

HashiCorp looks into easier secret management for Kubernetes

HashiCorp has finished work on Consul 1.6 and offered a first insight on upcoming Vault features especially aimed at users of container orchestrator Kubernetes who haven’t consider the secret management tool before.

In the next couple of months, the Vault team plans to release a number of features  meant to improve automatic access to secrets for applications without built-in Vault logic. At the moment they’re looking to gather feedback on the idea of integrating Vault with the Kubernetes Secrets mechanism via a periodically running syncer process. Another concept the team is investigating is a Container Storage Interface plugin to inject secrets into a running pod.

On the implementation front they seem to be mostly busy extending the Helm chart introduced in early August. The initial version set out to facilitate running open source Vault on Kubernetes in single-server, highly-available, and dev mode. 

In addition to that it will soon sport the option to inject Vault static and dynamic secrets into the pod file system via a sidecar. Compared to the usual managing qualms, an application won’t have to deal with authentication tokens and the like, but will only find secrets in a filesystem path.

Meanwhile, the Consul team has ended the beta phase for version 1.6 of the distributed service mesh and made a final version generally available. The release opens up replication for CA and intentions which define access control for services via Connect to regular subscribers. Previously this was only available to Enterprise subscribers.

Speaking of Connect, the service-to-service connection authorization and encryption module  now features an endpoint to compile the discovery chain and generates full SNI names for discovery targets in the compiler. 

New configuration entry types have been implemented to configure Envoy sidecars in a way that allows the setup of capabilities such as advanced failover or traffic shifting at the application layer. 

Version 1.6 comes with an updated Go version and gRPC dependency to mitigate some security flaws. It also adds the option of running the Envoy proxy the project uses as a gateway to route Connect traffic across datacenters. 

Developers still using the previously deprecated proxies and ProxyDestination config should be aware that those have been removed with this release, which can lead to breakage. A detailed list of changes can be found in the project’s changelog.