TAP 1.6 – GitOps RI With Hashicorp Vault

In TAP 1.5, a new installation model was introduced based on a GitOps model, utilizing the Carvel toolset under the hood, to power it all. With TAP 1.6, beyond overall bug fixes, and nice changes to the overall UX of the GitOps Installation method, a really key feature that has been added, is the integration with Hashicorp Vault. The GitOps installation model, requires us to use a secret management solution as some of our TAP values are indeed very sensitive and can’t simply be pushed to git. In TAP 1.5, we had 2 options. we could use Mozilla SOPs, which is the easiest method, in which we encrypt fields within a YAML file using a key pair, and then pushg the encrypted files to git. We then provide the private key to decrypt the content to the GitOps tooling in our cluster, which is responsible for decrypting the content and applying the needed configuration. The other option we had in TAP 1.5, was the use of External Secrets Operator (ESO) which is included in TAP, and configuring ESO to use AWS Secrets Manager for storing our sensitive values. In this scenario, the GitOps tooling would pull down the sensitive data from AWS Secrets Manager using ESO, and then deploy what is needed to our cluster. What’s new in TAP 1.6, is the support for my favorite, and probably the most commonly used secrets manager today in the kubernetes ecosystem which is Hashicorp Vault. This is enabled, just like the AWS Secrets Manager solution, via TAP’s ESO integration. While this may seem like a small feature, it truly is a game changer and opens up huge opportunities for customers that are either on prem, or multi cloud users, where having a cloud agnostic solution like Vault, is a much more viable solution then using a cloud specific offering. The new integration includes a set of easy preperation scripts for creating the needed roles and policies within Vault as well as on the cluster itself to enable the integration. While setting up the GitOps installation can take a bit more time then the manual installation method, and adds a level of complexity, the day2 management and benefits it provides, far outweigh the added upfront complexity, which also to be honest, is not too difficult to understand and perform. Summary This is another small enhancement in the way ESO is being integrated into TAP, and I’m truly looking forward to seeing more and more secret management capabilities and integrations in future releases!