Hey Marcel, great to see this this 2022 kubernetes content refresh. Looking forward to more in the near future!

These were 30 intensives minutes with lots of concepts I need to land. TYVM!!

As always Marcel, Big Thanks for your explanations and teaching in an understandable way. Love your content mate.

Great content, thank you. I'm about to put Vault on production, and your video makes my job easier.

please make videos for consul

Love your content mate, always on point with the explanations and overall flow.

This is so informative! Like to see much of these videos ahead! Thanks so much! This clarifies so much!

Thanks for sharing, we implemented vault in our company long time ago but so far i had no idea it has so much unused potential. Thanks for sharing this i need to setup dynamic secure secrets injection. That is so awesome ;). Peace and please keep coming with new content.

Well done on this, such great content. Would LOVE to see a demo on hashicorp consul.

What a lecture. Congratulations!!! 👊

I have been watching this channel daily now. Awesome content. Definitely, Consul series would be sweeeeeeet

Excellent clear explanations, wonderful docs, and videos.

Excellent video as always mate. Thanks for sharing

Awesome playlist! Thanks for sharing your knowledge.

man please do consul tutorial

Great video (as always)! And definitely like to see a Consul guid

As you asked for feedback, interested in , Terreform-sync consul. I also enjoy an architecture breakdown. Visual Whiteboard or something like that. Thanks for the content!

The content is really awesome .Great Learning for me. I would definitely look forward for consul video.

Great job! Very interesting and useful.

Like your Videos about the devops stuff! :) Greetz from germany

This is beautiful!!!! All I need to know in a video!

love your content.

Great video, thank you

Excellent man, Working good 👌

Great guide for me, it is so interesting and I learned some tips of real experiment for these stuffs.

awesome vault video

Great content, ❤

thanks for a great content! One thing that maybe missing is information about motivation for all these dances with vaults, encryption, sealing/unsealing. On the first glance it seems like an over-engineering ... as I'm pretty sure that in most environments you may not need such involved procedure and levels of security. Let's take simplest case of secrets management: storing them in a private gitlab repo as an open text in yaml manifest. What kind of vulnerabilities this approach has? How severe those vulnerabilities are? How likely that those vulnerabilities may be exploited? I think it is also important to point out that hashicorp or other providers may be interested in steering ppl towards higher levels of security ... but there has to be some healthy scepticism to counteract that, as you said in your channel start video: software is complex, so we need to keep it simple.

Dude you Rock!

did you end up making helm consul guide? That would be helpful. Thanks for the video.

Supeeerr great tutorial

consul is extremely powerful for multi cluster and even multi cloud! i would be very interested in those topics

would love to see a Vault CSI tutorial

This is the result, when the Hulk become a Devops. :) LOL

Hello, amazing video. I did it and it works fine. I have a question about if it could be possible to generate environment variables from secrets into the pod. I tested some ways to do but i didn't work, because the session that starts with the variables i'ts other than the running application, it's so hard to explain that but it's not working. Did you experiment somthing like that? Thanks.

I wonder if the deployment would be much different if Vault would run outside the K8s cluster in a dedicated VM

Nicely explained. I want the process of auto unsealing. Incase the K8s cluster restarts. What are the possible ways of autounsealing vault ?

yes to the consul guide please

Thanks for video. can we have a video to unseal the vault automatically in case of vault pod restart. as of now we need to unseal pods manually.

Great video. I have a question is how could I automatically delete secrets file (vault/secret/etc ) are stored in Kubernetes after the pod is running up

Did u create certificates needed inside a new folder vault/userconfig in root?

Thanks for the video ! But question. Here, you demonstrated how to inject the secret from vault to pod, but you didnt explain how the pod or the application can use the secret. Most of applications are running with ENV variable. The question is simple: how to inject thoses secret from /vault/secret/ to the env variable into the pod? There is some trick to do this through the deployment manifest with command instruction command: ['/bin/sh', '-c', 'source /vault/secrets/config; ''] But for my pov, it is ugly to do by this way. Do you have any suggestion or maybe cover this part in your next video please ? tyy !

Hi Marcel. I try your tutorial in a OpenShift Cluster. My vault pods don't create because of the "tls-server" "tls-ca" information. What is the purpus of theses certificates within Vault? Thanks

Thanks for the update to your Vault series. Can you share pointers to steps for automating the Vault Unseal process? Also would like to learn more about vault + cert-manager integration.

@MarcelDempers

2 жыл бұрын

I would start with the official docs learn.hashicorp.com/collections/vault/auto-unseal

Make video with auto-unseal Vault cluster via 2-nd (central cluster) with transit mode enabled and with self-signed certs.

Thank you veeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeery much..

Hello Marcel, i m a bit confused in the tls.crt file you added in extra environment, how did you generate it and where it is used i checked the repo and i didnt find the userconfig, i dont know if i missed something please help

can I use Vault to encrypt helm values?

Marcel, would it not be perfect if you have showed how to automatically unseal vault with AWS KMS?

do you do any private tutoring?

Hey, I couldn't find anywhere that k8s 1.22 wasn't supported by vault. I just tried it out with 1.22.4 kind image, and it works as expected. Consul version 0.40, and same 0.19 vault version of helm. I was able to attach the sidecar and mount the basic secret on the pod. Maybe I am missing something? Let me know your thoughts

@MarcelDempers

2 жыл бұрын

You're right. During creation of this guide (which took a long time) 0.19.0 was released So the tutorial started at a lower version. admissionregistration.k8s.io/v1beta was used as the injector at the time which is deprecated by K8s 1.22 It seems like 0.19.0 supports the v1 , so you're right its good to go 💪🏽

Excellent video, but the main thing I learned from it is that the world desperately needs an official Vault operator 🤯

How about secret env variable

Is it possible to automate the unsealing process of vault? In standalone or cluster? If not, is it due to security purposes? Thanks in Advance!!

@MarcelDempers

4 ай бұрын

There are automated unseal processes available, i believe they are specific to certain cloud providers

consul guide plz

When do you launch your fitness channel? XD

@MarcelDempers

2 жыл бұрын

That FitOps Guy 💪🏽

Thx a lot :) With -version=1 like shown all ok. :) not work with: vault secrets enable -version=2 -path=secret/ kv - Do you know why ?

Sir I have one doubt.. If I have 10 microservices for all the microservices I have to write dockerfile and yaml manifest right? Also I need to keep it in a single github repo so that jenkins can clone it? Or there will be a seperate repo for each microservices? Then how jenkins will build 10 different microservices? I would be greatful to you if clear this to me

@MarcelDempers

2 жыл бұрын

I would keep dockerfiles with each service source code and each service in its own repo. That way services are independent and self contained. Regarding the YAML, every service should have its own YAML. How you store the YAML is up to you. Method 1) Many store the YAML for each service in the repo of that service. The pipeline takes the source code, build the docker file and uses the YAML to deploy. Method 2) Other companies store the YAML in a monorepo. Many GitOps concepts like ArgoCD uses this method. A service would pipeline would clone the service repo, build dockerfile, push it, then it would perform a git commit to the monorepo to change the docker image name in the YAML which would trigger ArgoCD to run. This is called GitOps.

@zaibakhanum203

2 жыл бұрын

Thank you so much sir....appreciate your response ..means a lot..

@zaibakhanum203

2 жыл бұрын

Sir can you suggest me the best kubernetes cicd pipeline for production please with helm

conent rockerstar , powerpacked contents

I'm trying to figure out the next step, if I change the password on the vault how will the pods react to this change? I know that by definition they will not update but there should be something that we could do to support key rotations on pods that require to update the secrets on vault

@MarcelDempers

2 жыл бұрын

If you change the password in the Vault and have secret injection enabled, the passwords will rotate in the pods automatically. This depends more on how your pods consume them. Most apps need to restart in order to consume new passwords unless you write code to do file watching and hot reloading. Also it depends what the password is used for. I.E with an S3 bucket, you could add a new key with overlap of the old so it gives your pods a chance to consume the new key with older pods still using the old key while your rolling restart is happening. This gives you capability to rotate keys without downtime

@MoLt1eS

2 жыл бұрын

@@MarcelDempers that helps me so much understand how I can rollout without shuting down all pods Thanks a ton for the tip!

Thanks for sharing. I followed your guide, but I'm stuck adding a traefik IngressRoute, the vaults pods returns, `HTTP: TLS handshake error from internal_ip:51142: remote error: tls: bad certificate`, I guess is because of the mismatch between traefik and self-signed (cfssl), could you give me a hint to combine vault + traefilk.

@MarcelDempers

2 жыл бұрын

It's likely the self signed cert. The self signed cert is trusted by Kubernetes because we made it aware of the CA. Your public traffic has SSL from public to Traefik, which offloads SSL and creates a TLS connection to the upstream (Vault) which fails. You may need to check if you can configure a CA in traefik so it can trust your self signed certificate for Vault.

im confused as to why you did all the work in a container like installing helm in a container with kubectl... you obviously had kubectl installed and working from your desktop system so why not just install helm on your desktop and do everything from there... this would reduce the complexity and the needs to mount your desktop to multiple containers. or use something like kubeapps to do the deployment.

Please don't cut out the silent bits from your videos. It makes the narration sound unnatural.

Thank you for the great tutorial! Albeit I get an error when deploying the example-app. " Error creating: pods "basic-secret-6b7587b7fd-" is forbidden: error looking up service account vault-example-app/basic-secret: serviceaccount "basic-secret" not found" - but the serviceaccount "basic-secret" does exist in the namespace vault-example-app.

Hi, your last cmd: kubectl -n example-app exec basic-secret-xxx -- sh -c "cat /vault/secret/helloworld", it will show plain-text pwd. Can you avoid this? like just show: "password":*******, the Ops login to that pod, he/she should not view the plain-text pwd.

Hello, I have unsealed it but still it is restarting and making vault sealed again. Will you suggest where am I going wrong.