HashiConf 2018 – Tuesday Morning Keynote

Watch the live stream at http://www.hashiconf.com/live

Want the full press release of what’s being discussed this morning? Look no further than the official press release here.

HashiCorp Showcases Significant Product Updates Across its Multi-Cloud Infrastructure Automation Suite

Keynote starting soon – this blog will be a combination of notes and leveraging what I’m putting on Twitter.

The feel of the Fairmont is pretty neat – nice facilities for a small conference. Walking 6 blocks uphill here from the Hilton San Francisco Union Square was a bit brutal though.

Starting off thanking the sponsors by Nick.

Armon Dadgar now on stage

  • 1200 people at #HashiConf this year – impressive growth from last year.
  • HashiCorp User Groups are in 38 countries, 74 cities, and 15,000 members.
    • Shoutout to @ktuffner for starting the Charlotte one.
  • 80 release of HashiCorp products.
  • Download metrics – 22M in 2017, 45M in 2018
  • Employee Growth – 130+ in 2017, 320+ in 2018

  • Platform transition happening in moving to the cloud.
  • More importantly a process shift from ITIL file a ticket to more self-service.
    • 4 layers there – Networking, Infrastructure, Development, Operations

  • HashiCorp Suite
    • Terraform – Infrastructure as Code – Diverse Platforms – focused on Operations provisioning platforms
      • Operations Team Focus
    • Vault – Secret Management, Data Protection, Zero Trust Networks – Securing Infrastructure and applications
      • Security Team Focus
      • How to secure the inside of our castle – dealing with low trust networks
      • Largest Install Base
    • Nomad – how to deploy applications – Self Service, Diverse Workloads, High Performance.
      • Development Team focus
      • Fastest Growing
    • Consul – Discovery Routing and application discovery.
      • Networking Team focus but much more.
  • Accessibility – how to help people discover and use products.

New Products

  • Vault 0.1 – April 2015. Thinking about secrets that live within Vault but realized there’s a lot that won’t live in Vault. Lives in databases, data lakes, etc.
    • Applications doing crypto to protect data – encrypting before writing to a database.
    • Many apps don’t do this well though.
    • “Transit” Backend to help with this.
    • What about Privileged Operations? Need access but what happens when leave?
      • Led to Dynamic Secrets – created just-in-time, unique per client, auto-expiring.
      • Started with just standard databases – MS SQL, MySQL, Oracle, PostgreSQL
      • Expanded to NoSQL dbs’, Cloud Providers, Applications, Other Items (AD, SSH, PKI, etc.)
      • Goal = give time-bound access to prevent credential leaking
    • Overhaul of CLI and also UI

  • Batch Tokens – handle batch processes more gracefully. Handle thousands of authentications per second.

 

  • Other 1.0 Features
    • Migration between storage backends
    • Hig-Throughput Replication
    • OpenAPI Specifcation.
  • Road Ahead – what’s coming.
    • 1.0 Release
    • Extensible Security Platform
    • Broader Range of Challenge – how to solve in a modular way that keeps the simplicity of Vault’s core

HashiCorp Research Group

How to make security credential provisioning more intelligent. Can go between “Simple High Risk” (everyone is root) and “Complex Low Risk” (nothing works except with lots of time). How do you find the middle ground?

Vault Advisor is launching to help – watches what people put into Vault in order to create a Closed Feedback Loop. AI is not quite there yet so need people in the loop for mission critical systems. Goal = make operators more efficient by offering intelligent recommendations.

Vault Advisor over time explores the policy options to find a “Goldilocks Policy”.

Summary

  • Deep Dive Breakout session later.
  • Goal is GA – want to get to GA
  • Publish Whitepaper – more info coming.
  • Broaden past vault – explore discrepancy between how security software is configured and how it’s used.

Nomad

Armon taking it head on – doesn’t Kubernetes obviate need for Nomad?

Main purposes for Nomad that customers use which diverges from Kubernetes.

  • Container Scheduler
  • Legacy/Mixed Workloads
  • Batch High Performance

New Nomad Scheduler Features – adding affinity (example = must have SSD), anti-affinity (example = never on spinning disk), spreading (help fully leverage existing hardware).

Priority Scheduling – Nomad can set priorities, jobs are queued when busy, and also can set priority inversion.

Plugin Discussion – Task Drivers to help hand off tasks (hand off to Docker but an also modify them) and Device Drivers. This is the foundation for more plugins in the future.

Mitchell Hashimoto now on stage – time for Consul

Microservice Problems when moving from monolithic applications.

  1. Service Discovery – can’t use compiler and linker to jump to a memory location/line of code. Services are now on the network.
  2. Service Configuration –
  3. Segmentation (Security Challenges) – going from separate zones separated by firewalls (segmentation).

These categories combine into a Service Mesh – historically Consul has solved the Discovery & Configuration problems but not Segmentation. Customers handled that by using HA proxies, load balancers, firewalls, etc.

Consul Connect squarely takes on the Segmentation problem – built into Consul b/c Segmentation needs to know Discovery & Configuration details.

Going deeper into Consul Connect…

  • Service Access Graph
    • Intentions to Allow/Deny Communication
    • Source and Destination Service
    • Scale Independent
    • Managed with CLI, API, and Terraform
  • Sidecar proxies – can allow different kinds of proxies based on OS, performance needs, etc.
  • Consul UI now updated – hadn’t been touched for 3 years.

Announcing Consul 1.4 in Preview today

  • Envoy
    • Built-in support for Envoy as a proxy for Connect
    • Kubernetes integration uses Envoy
    • Envoy config can be modified
    • And more…
  • Revamped ACL system – hadn’t been touched much for 2 years.
    • Separate “Access Token” from “Policy”
    • Policy can be restricted by DC
    • Policies automatically replicated from Primary DC
    • Support for exact match (in addition to prefix match)
    • DC-Local Tokens – tokens that aren’t replicated globally.
    • In the UI from Day 1
  • Multi-Datacenter Connect
    • Lots here that I missed.

Paul Hinze on stage for a Terraform update

4 Conclusions

  1. Terraform needed deep language improvements.
    • Terraform 0.12 addresses this – ton of features around Language Ergonmics (bullet list of 10+ items)
  2. Collaboration is a universal problem.
    1. As org complexity grows, so does need for collaboration within Terraform.
    2. 3 levels of Terraform – Small Team, Business (affordable), Enterprise.
    3. Offering free remote state management for everyone – huge!

Mitchell Hashimoto now back on stage

Discussing how to play nice and be complementary with Kubernetes

Consul + Kubernetes

  • Helm Chart
  • Auto-join
  • Service Catalog Sync
  • Connect Sidecar Auto-inject with Envoy
  • Available now

I’m afraid I got distracted at this point – keynote was running long and I was working on rescheduling some meetings.

Dave McJanet finished up with an overview…and that’s a wrap!


Disclaimer: I attended HashiConf on a free media pass however paid for my own flights and hotel. There was no requirement for me to blog about any of the content presented and I was not compensated for my time at the event (unless random booth swag from sponsors counts). No materials discussed were presented under NDA.

 

 

One thought on “HashiConf 2018 – Tuesday Morning Keynote

  1. Pingback: HashiConf 2018 – Brief Interview with Armon & Mitchell | Think Meta

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s