HashiConf took place on October 14 and 15, in virtual format due to the health context. If there are many novelties to report in HashiCorp’s arsenal, we were entitled to the announcement of two new products! In this article we will review together the new products presented, including HashiCorp Boundary and HashiCorp Waypoint.
Boundary completes HashiCorp’s security offer. If until now HashiCorp Vault was dealing with the management of secrets, access to the different resources remained a challenge for users.
HashiCorp Boundary completes the Vault offer by answering this challenge:
The tool allows to authenticate a user who will have a role with defined rights allowing him or not to connect, without installing an agent beforehand, to services or server:
Imagine the following simplified scenario:
The user authenticates to HashiCorp Boundary with a defined authentication method (e.g. SSO).
Once authenticated, it accesses a catalog of resources according to the rights provided by its role (example: in AWS, all the EC2 instances of a mail order vendor).
It selects the server or service and is connected (e.g. SSH on the EC2 instance in a private subnet).
Boundary is now available in version 0.1 and can be used by Terraform (in version 0.12 or later) for its configuration.
For those who wish to do without Terraform for configuration/use, please note that the tool has an API, CLI and UI.
Of course, the product is in version 0.1 and there are some limitations today (especially with the example mentioned above). However, you can visit the Boundary roadmap and give your feedback.
« Developer just want to deploy » is the quote from HashiCorp that best defines the objective of this new product.
HashiCorp Waypoint is a tool based on the workflow to build, deploy and release an application on any platform.
The interest of the product is to make the abstraction of the application code as well as the deployment platform and to have a configuration file with a common language:
What does HashiCorp Waypoint support over its lifecycle to date?
Docker Pull Build
Cloud Native Buildpacks
Google Cloud Run
Azure Container Instances
Finally, at Release level: it depends of the deployment platform (see here for more details)
There are a few more functionalities such as :
URL Waypoint generated by application and deployment: each application deployed by Waypoint has a public URL in « waypoint.run » with a TLS certificate signed by Let’s Encrypt. The functionality is optional.
Waypoint Exec: allows to execute remote commands to the deployed application
Waypoint Logs: allows to get a snapshot of the current logs of the deployed application
A UI web interface in addition to the CLI
Plugins: the strength and potential of Waypoint lies in plugins. To date, Waypoint has about ten plugins(ex: Kubernetes, AWS ECS, Google Cloud Run, etc) and probably much more in the coming months. This is an invitation to the community to get involved!
A tool made for CI/CD: Waypoint integrates very well in an automation or CI/CD context. You can find several examples on the official website (ex: Github action, Gitlab CI/CD, etc).
Of course, the product is in version 0.1 and there again there are limitations. However, you can visit the Waypoint roadmap and give your feedback.
Terraform 0.14 (Public Beta)
Terraform version 0.14 has finally been released as a public beta version and we are getting closer and closer to a version 1.0 (planned for 2021)!
Here are the highlights of the new features:
Sensitive input variable: variables can now be indicated as « sensitive » so that the values are not present in the output. Note that, to date, the value is present in the state file in clear text.
Shorter diff: some of you may have noticed that since version 0.12 that the plan or apply displays much more information than previous versions. Now it will only show the modifications/additions/deletions lines and hide the other unchanged lines.
Provider Dependency Lock File: since version 0.13, more and more providers have been created and the pace of upgrades for each of them has accelerated. This feature comes into play in order to avoid any upgrade of a provider altering your IaC.
Among the good surprises, we have HashiCorp Consul which is also upgrading to version 1.9 beta. This version focuses on observability, more features on service mesh and finally a better integration with Kubernetes.
Here is what this new version offers us:
Application – Aware Intention (HTTP et gRPC) : intentions now support layer 7 allowing to allow/disallow the communication of services based on HTTP Header, URI or path URL requests.
Service Mesh Visualization : in Consul’s UI, it is now possible to see the topology of the different services and their interactions, but also new application metrics make their appearance, such as the number of requests per second, the number of errors and latency.
Custom Resources for Kubernetes : it is now possible to configure Consul’s mesh service via Kubernetes’ Custom Resource Definitions (CRD).
Deployment of a Consul cluster in OpenShift via a Helm chart.
Active Health Checks for Consul on Kubernetes : allows Consul’s mesh service to integrate Kubernetes’ Health Check (Kubernetes Readiness probes) in order to avoid routing traffic on a unhealthy pod (readiness or Health in fail).
Streaming : reduces the CPU usage and bandwidth of a large Consul cluster, in particular by improving the processing of blocking queries.
Finally two last announcements related to HashiCorp Consul:
Vault HCP (Private Beta) & Consul HCP (Public Beta)
HashiCorp Cloud Platform (HCP) is a managed platform on which HashiCorp products are deployed in an automated way.
HashiCorp maintains the infrastructure and hosts it on the chosen cloud provider (e.g. Azure or AWS). Finally, you will be able to directly access your cluster or create a private link (ex: mail order peering for AWS) to connect to it.
For the new features of this version 1.0, the functionalities are still hidden but Yishan Lin (Nomad’s Product Manager) has indicated that the namespaces will go from the Enterprise version to open source!
With the Changelog we can get an idea of some of the features that will come out:
Event Stream: allows real-time streaming of Nomad objects, JobEvent, AllocEvent, EvalEvent, DeploymentEvent and NodeEvent events.
Topology Visualization: used to view the status of each client and the allocation via the UI.
Comme nous l’avons vu dans l'article précédent, il est difficile d’authentifier...
A PROPOS DE L'AUTEUR
Formateur officiel AWS (AAI), ambassadeur HashiCorp mais surtout passionné par le cloud et la culture Devops, Mehdi Laruelle s'intéresse à l’automatisation et à la sécurité. Le savoir est une passion qu’il aime partager que ce soit via des formations... ou des articles ! (More on: https://keybase.io/mlaruelle)
Le blog reBirth
Nous luttons contre les raccourcis intellectuels, proposons des alternatives, challengeons les pratiques, partageons nos expériences et provoquons une réaction. En ce sens nous ENTREPRENONS et révélons les singularités.