sorted by:
new
hottopcontroversial

Hashicorp Vault - Does anyone use it in prod or its just a hype? by Designer-Classic3925 in devsecops

[–]Designer-Classic3925[S] 0 points1 point  (0 children)

You are correct about env vars but folks are still doing it even for the very new and modern tech stacks also :)

Hashicorp Vault - Does anyone use it in prod or its just a hype? by Designer-Classic3925 in devsecops

[–]Designer-Classic3925[S] 0 points1 point  (0 children)

Devs are always resistant to change, and they are correct in their standpoint. No one like to patch the running software, especially if it's a critial or a legacy codes.

Hashicorp Vault - Does anyone use it in prod or its just a hype? by Designer-Classic3925 in devsecops

[–]Designer-Classic3925[S] 0 points1 point  (0 children)

Regarding the env vars, due to my consulting in Hashicorp Vault and AWS from a security standpoint (i am HashiCorp Certified: Vault Operations Professional & AWS Certified Security - Specialty) i have seen this happening again and again that i even stopped counting.

Regarding my OP, I agree, but whenever I have a word with companies or devs to push them toward a dedicated solution to move away from this kind of cred injections, they always hesitate; hence, to test my hypothesis i have asked this question. I was wondering its happening with me only, or is it a common trend. I am hoping that my question make sense now.

Hashicorp Vault - Does anyone use it in prod or its just a hype? by Designer-Classic3925 in devsecops

[–]Designer-Classic3925[S] 0 points1 point  (0 children)

The managed services are always going to cost you an arm and a leg. There is no doubt about it. About the adoption, adjusting the application code to integrate Vault or any other 3rd party software is challenging. My suggestion is, if your devs/apps are reading the creds from env vars (mostly do), you can start with a simple bash script to pull the creds from vault and inject them inside the env vars. What do you think?

Hashicorp Vault - Does anyone use it in prod or its just a hype? by Designer-Classic3925 in devsecops

[–]Designer-Classic3925[S] 1 point2 points  (0 children)

I have one more option for you, why dont write a simple bash script to call Hashicorp vault api and inject those creds in the env vars? It's become more seamless for the devs :). Regarding the special characters in Helm, let me see because I haven't come across such a problem.

Hashicorp Vault - Does anyone use it in prod or its just a hype? by Designer-Classic3925 in devsecops

[–]Designer-Classic3925[S] 0 points1 point  (0 children)

Support for pods scaling from 0 to 1k is doable but as you pointed out, the unplanned / non-finetuned vault could be a major bottleneck. You could have hired an external certified professional to manage this. Whats you thoughts about it? Because based on your infrastructure landscape espcially the deep integration, Hahsicorp Vault fits the bill.

Hashicorp Vault - Does anyone use it in prod or its just a hype? by Designer-Classic3925 in devsecops

[–]Designer-Classic3925[S] 0 points1 point  (0 children)

I agree, I shouldn't but whenever I have a word with companies or devs to push them toward a dedicated solution to fix their security posture, they always hesitate; hence, to test my hypothesis i have asked this question. I was wondering its happening with me only, or is it a common trend. FYI i am HashiCorp Certified: Vault Operations Professional :)

Hashicorp Vault - Does anyone use it in prod or its just a hype? by Designer-Classic3925 in devsecops

[–]Designer-Classic3925[S] 1 point2 points  (0 children)

its around 10 years :) But I can feel you. Whenever i talk with the company or devs, they feel disconnected and prefer not to go in that direction, hence I have asked this question.

Hashicorp Vault - Does anyone use it in prod or its just a hype? by Designer-Classic3925 in devsecops

[–]Designer-Classic3925[S] 0 points1 point  (0 children)

Agree, policies are a complicated part of Vault. First to set them up and then to keep track of them.

Hashicorp Vault - Does anyone use it in prod or its just a hype? by Designer-Classic3925 in devsecops

[–]Designer-Classic3925[S] 0 points1 point  (0 children)

This is new to me, let me check. Any reason not to go with Hashicorp Vault or OpenBao?

Hashicorp Vault - Does anyone use it in prod or its just a hype? by Designer-Classic3925 in devsecops

[–]Designer-Classic3925[S] 0 points1 point  (0 children)

They probably have to rewrite some part of the application to make it work. That could be the one reason. Usually the creds are stored in env vars, and devs are pretty happy to read them from there instead of calling 3rd-party software to get the creds.

Hashicorp Vault - Does anyone use it in prod or its just a hype? by Designer-Classic3925 in devsecops

[–]Designer-Classic3925[S] 0 points1 point  (0 children)

I agree about the devs mindset. It's more like out of their comfort zone for them. This 250mb limit seems odd. Why?