@hashicorp
Solving CI ChallengesNicolas Corrarello @nomadic_geek May / 2017
whoami
3
- Nico <[email protected]> - General geek and DadOps beginner - Opinionated Italian - Argentinian with a hard to pronounce surname - Red Hat, Symantec, Rackspace, Puppet, Hashicorp - ncorrare @github, sgtpepper @freenode - http://nicolas.corrarello.com
https://en.wikipedia.org/wiki/Elephant
https://commons.wikimedia.org/wiki/File:Pride_of_Pets_Dog_Show,_2011_(6271388774).jpg
Issues with CI servers and pipelines
• How do I ensure my build environment matches my actual environment?
• How to provide an homogeneous workflow for consuming credentials in my
pipeline and in my production environment?
• How do I store and retrieve credentials securely?
• How do I sign and verify binaries to ensure parity between CI and
production?
• How do I know I am testing against the correct services in a very dynamic
infrastructure?
• Most importantly, how do I accomplish all of this programmatically?
Audience participation warning…
• Are you compromising on security for agility?
• How close are your tests to your real world?
• How many manual steps are there from development to production?
https://www.n00py.io/2017/01/compromising-jenkins-and-extracting-credentials/
Throw it over the wall…
https://tisquirrel.files.wordpress.com/2015/06/anti-copy-4.png
Do both sides of the wall look the same?
https://commons.wikimedia.org/wiki/Cloud#/media/File:Sc_2.jpg
Provision, secure, and run any infrastructure for any application
14
VAULT
15
Provide Secret Governance
Privilege Access Management
Securely Store Any Secret
Encryption as a service
Eliminate Secret Sprawl
Secrets Management
NOMAD
16
Service & System | Long runningDisbatch Workloads | Short-lived, elasticBatch Workloads | Big Data
High-Availability, Hybrid CloudEfficient Resource UtilizationHigh Performance
17
Event driven orchestration
Orchestration
Dynamic configuration at scale
Runtime Configuration
Services can find other services
Service Discovery
CONSUL
Operational Patterns
• Vault as centralised secret store
• Sign and verify artefacts with Vault
• Encrypt and decrypt payloads with Vault
• Nomad as a consistent way of scheduling tasks across multiple
datacenters, with diverse infrastructure
• Service Discovery with Consul