@hashicorp

Solving CI ChallengesNicolas Corrarello @nomadic_geek May / 2017

whoami

3

- Nico <nicolas@hashicorp.com> - General geek and DadOps beginner - Opinionated Italian - Argentinian with a hard to pronounce surname - Red Hat, Symantec, Rackspace, Puppet, Hashicorp - ncorrare @github, sgtpepper @freenode - http://nicolas.corrarello.com

https://en.wikipedia.org/wiki/Elephant

https://commons.wikimedia.org/wiki/File:Pride_of_Pets_Dog_Show,_2011_(6271388774).jpg

Issues with CI servers and pipelines

• How do I ensure my build environment matches my actual environment?

• How to provide an homogeneous workflow for consuming credentials in my

pipeline and in my production environment?

• How do I store and retrieve credentials securely?

• How do I sign and verify binaries to ensure parity between CI and

production?

• How do I know I am testing against the correct services in a very dynamic

infrastructure?

• Most importantly, how do I accomplish all of this programmatically?

Audience participation warning…

• Are you compromising on security for agility?

• How close are your tests to your real world?

• How many manual steps are there from development to production?

https://www.n00py.io/2017/01/compromising-jenkins-and-extracting-credentials/

Throw it over the wall…

https://tisquirrel.files.wordpress.com/2015/06/anti-copy-4.png

Do both sides of the wall look the same?

https://commons.wikimedia.org/wiki/Cloud#/media/File:Sc_2.jpg

Provision, secure, and run any infrastructure for any application

14

VAULT

15

Provide Secret Governance

Privilege Access Management

Securely Store Any Secret

Encryption as a service

Eliminate Secret Sprawl

Secrets Management

NOMAD

16

Service & System | Long runningDisbatch Workloads | Short-lived, elasticBatch Workloads | Big Data

High-Availability, Hybrid CloudEfficient Resource UtilizationHigh Performance

17

Event driven orchestration

Orchestration

Dynamic configuration at scale

Runtime Configuration

Services can find other services

Service Discovery

CONSUL

Operational Patterns

• Vault as centralised secret store

• Sign and verify artefacts with Vault

• Encrypt and decrypt payloads with Vault

• Nomad as a consistent way of scheduling tasks across multiple

datacenters, with diverse infrastructure

• Service Discovery with Consul

Q / A github.com/ncorrare for

examples

THANKS!